Feedly Android App Javascript Injection vulnerability exposed Millions of Users to Hackers
When it comes to Android apps, even the simplest app could greatly compromise your privacy and security.

Injecting malicious JavaScript into Android applications has drawn an increased attention from the hacking community as its market share spikes. According to security researcher Jeremy S. from Singapore, a critical vulnerability in the Feedly app left millions of android app users vulnerable to the JavaScript infections.

Feedly is a very popular app available for iOS and Android devices, also integrated into hundreds of other third party apps, which offers its users to browse the content of their favourite blogs, magazines, websites and more at one place via RSS feed subscriptions. According to Google Play Store, more than 5 Million users have installed Feedly app into their Android devices.

In a blogpost, the researcher reported that Feedly is vulnerable to JavaScript injection attack, which is originally referred as 'cross-site scripting' or XSS vulnerability, allows an attacker to execute any JavaScript code on client-side. JavaScript is a widely used technology within the websites and web based applications, but it is use not only for the good purposes, but for the malicious purposes as well.

Feedly app was failed to sanitize the Javascript code written in the original articles on subscribed websites or blogs, that left millions of their feed subscribers open to the injection attacks. Researcher demonstrated that the vulnerability allows an attacker to execute the malicious JavaScript code within the Feedly app at the users’ end. So, if a user browses an article via Feedly that might include the malicious javascript code, the users unknowingly give leverages to an attacker to carry out malicious activities against themselves.
The android app does not sanitize JavaScript codes and interprets them as codes. As a result, allows potential attackers to perform JavaScript code executions on victim's Feedly android app session via a crafted blog post,” the researcher wrote. He added, “Attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app.”

A malicious JavaScript injection allows an attacker to do a number of things, to modify or read cookies, temporarily edit web page contents, to modify web forms, to inject tracking codes or exploits codes in order to infect the Android users.

He discovered the vulnerability on 10th March and reported it to Feedly, which was then acknowledged by them and fixed on 17th March 2014. But they didn't mention any vulnerability fix in their change logs on Google Play Store. So, the users who have not enabled automated updates from Play Store, should manually update installed Feedly app as soon as possible.

To Subscribe 'The Hacker News' latest updates via Feedly - Click Here.

In the mid of last year a Group of Russian Hackers were accused for allegedly infiltrating the computer networks of more than a dozen major American and international corporations and stole 160 million credit card and debit card numbers over the course of seven years, which were then resold to third parties buyers.

WANTED IN U.S AND RUSSIA
A Rotterdam court in Netherlands ruled that simultaneous requests from the U.S. and Russia for the extradition of the Russian hacker Vladimir Drinkman were admissible, who is accused of being involved to lead the largest data theft case ever prosecuted in the U.S history, Bloomberg report.

But it’s not yet clear why Russia demands Drinkman’s extradition, "It’s now up to the minister of justice to decide on the extradition, and to decide which country." court ruled.

The investigators identified that the defendants have been infiltrating computer networks across the globe since at least 2007, including firms in New Jersey, where the first breach was detected. The group would then allegedly install “sniffers” within the networks to automatically obtain electronic data from tens of thousands of credit cards. And after stealing data, they sold it to resellers, who then sold it through online forums or to individuals and organizations.

GROUP OF FIVE BEHIND THE U.S's BIGGEST HACKING CASE
The group of hackers involved four Russian hackers Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, and one Ukrainian Mikhail Rytikov.

According to the officials, it is estimated that the attack on the global payment system resulted in the theft of more than 950,000 cards and losses of hundreds of millions of dollars, which is probably the biggest hacker attack in the US history, said the prosecutors.

Drinkman and Smilianets are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud with three other men, Aleksandr Kalinin, Roman Kotov and Mikhail Rytikov. All the four Russians are also charged with multiple counts of unauthorized computer access and wire fraud.

Drinkman, the subject of an extradition hearing was helping to lead the attack and was one of five people accused of hacking 17 retailers, financial institutions and payment processors, including 7-Eleven Inc., Nasdaq OMX Group Inc. , Carrefour SA and J.C. Penney Co., to steal more than 160 million credit- and debit-card numbers, the report stated.

The other man Smilianets was involved in personal identifying the information such as usernames and passwords, personal identification, and credit and debit card numbers, and personal ID information of cardholders. He then sold that information to resellers, the U.S. said.

Smilyants and Drinkman were arrested by the authorities of the Netherlands in 2012, from those Smilyants was extradited weeks later to the U.S., where he declared a not-guilty plea and has been in U.S. custody since.

Hacker exploits Heartbleed bug to Hijack VPN Sessions
Cyber criminals have explored one more way to exploit Heartbleed OpenSSL bug against organisations to hijack multiple active web sessions conducted over a virtual private network connection.

The consulting and incident response Mandiant investigated targeted attack against an unnamed organization and said the hackers have exploited the “Heartbleed” security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions of an organization's internal network.

The incident is the result of attacks leveraging the OpenSSL Heartbleed vulnerabilities, which resides in the OpenSSL’s heartbeat functionality, if enabled would return 64KB of random memory in plaintext to any client or server requesting for a connection. The vulnerability infected almost two-third of internet web servers, including the popular websites.

Recently, there has been an arrest of a Canadian teen of stealing usernames, credentials, session IDs and other data in plaintext from the Canada Revenue Agency by exploiting the Heartbleed OpenSSL bug. This shows that there may have been more active cyber criminals out there using the Heartbleed bug to steal private data and take over web sessions.

The hacker successfully stolen active user session tokens in order to bypass both the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to the VPN were owned by the organization and running specific security software.

Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.

OpenVPN previously warned that it could be vulnerable to attack since the open source VPN software uses OpenSSL by default.

According to the firm, it is clear that the Heartbleed attack is not traceable, and the bug returns only 64KB of memory for each heartbeat request, but in order to fetch useful data an attacker need to send a continuous chain of requests, and in this situation, an IDS signature specifically written for Heartbleed triggered more than 17,000 alerts during the intrusion.

The researchers posted the evidence for the assurance that the attacker they tracked had "stolen legitimate user session tokens":
  • A malicious IP address triggered thousands of IDS alerts for the Heartbleed vulnerability destined for the victim organization's SSL VPN.
  • The VPN logs showed active VPN connections of multiple users rapidly changing back and forth, "flip flopping", between the malicious IP address and the user's original IP address. In several cases the "flip flopping" activity lasted for multiple hours.
  • The timestamps associated with the IP address changes were often within one to two seconds of each other.
  • The legitimate IP addresses accessing the VPN were geographically distant from malicious IP address and belonged to different service providers.
  • The timestamps for the VPN log anomalies could be correlated with the IDS alerts associated with the Heartbleed bug.
Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization,” the researchers wrote.

The Mandiant researchers recommended all organizations running both remote access software and appliances vulnerable to the Heartbleed exploit to immediately identify and upgrade with the available patches and review their VPN logs to know if an attack had occurred in the past or not.

Warning: Malware Campaign targeting Jailbroken Apple iOS Devices
A new piece of malicious malware infection targeting jailbroken Apple iOS devices in an attempt to steal users’ credentials, has been discovered by Reddit users.

The Reddit Jailbreak community discovered the malicious infection dubbed as ‘Unflod Baby Panda’, on some jailbroken Apple iOS devices on Thursday while a user noticed an unusual activity that the file was causing apps such as Snapchat and Google Hangouts to crash constantly on his jailbroken iPhone.

CHINA WANTS YOUR APPLE ID & PASSWORDS
Soon after the jailbroken developer uncovered the mysteries ‘Unfold.dylib’ file and found that the infection targets jailbroken iOS handsets to captures Apple IDs and passwords from Internet sessions that use Secure Socket Layer (SSL) to encrypt communications and is believed to be spreading through the Chinese iOS software sites, according to the researchers at German security firm SektionEins.

The researchers found that the captured login information is been sent to some server of the Internet Protocol (IP) address “23.88.10.4”, which is suspected to be controlled by the individuals in China, as the malware developer certificate is found digitally signed by the name Wang Xin.
"Currently the jailbreak community believes that deleting the Unfold.dylib binary and changing the apple-id's password afterwards is enough to recover from this attack. However it is still unknown how the dynamic library ends up on the device in the first place and therefore it is also unknown if it comes with additional malware gifts," the researchers wrote while inspecting the infection. "We therefore believe that the only safe way of removal is a full restore, which means the removal and loss of the jailbreak," they added.
Immediately after the thread at the Reddit jailbreak community was started, several developers in the community warned the users to not touch the software, which they suspected was a malware. While the researchers noted that the manual removal of the malware infection is possible.

AFFECTED DEVICES
The iPhone owners using iPhone 5 and any other 32-bit jailbroken iOS device handset might be affected, who are advised to change their Apple ID password after the removal of the malicious software using the steps mentioned below.

However, the iPhone owners using latest 64-bit iOS devices such as iPhone 5S, iPad Air and iPad Mini Retina might not be affected by the malware.

HOW TO REMOVE MALWARE
  • Download the iFile app for free from Cydia and by using iFile, check whether your device is affected by the malicious software or not.
  • Navigate to /Library/MobileSubstrate/DynamicLibraries/
  • If you spot any files named Unflod.dylib or Unflod.plist and/or framework.dylib and framework.plist then you have been affected.
  • Use iFile to delete Unflod.dylib and Unflod.plist and/or framework.dylib and framework.plist
  • Reboot your device and then change your Apple ID password and security questions immediately and just to be on safe side, use two-step verification method and avoid installing apps from untrusted sources.
for details of removal click here.

Yet, most iPhone users are not vulnerable to the malicious malware as the infection requires the user’s handset to be jailbroken in order to be installed in the victim’s device. Also the malware has not been spotted on any of the apps on the Apple iOS App Store , THANKS to Apple's tight control of the App Store approval process.

Satellite Communication (SATCOM) Devices Vulnerable to Hackers
The growing threat of cyber-attacks and network hacking has reached the satellite-space sector, posing a growing challenge to the satellite operators. Because the satellite system are the critical components for the Nation to a modern military, they have become an attractive target of cyber attacks.

A security firm uncovered a number of critical vulnerabilities, including hardcoded credentials, undocumented and insecure protocols, and backdoors in the widely used satellite communications (SATCOM) terminals, which are often used by the military, government and industrial sectors.

By exploiting these vulnerabilities an attacker could intercept, manipulate, block communications, and in some circumstances, could remotely take control of the physical devices used in the mission-critical satellite communication (SATCOM).

Once the attacker gained the access of the physical devices used to communicate with satellites orbiting in space, he can completely disrupt military operations and flight-safety communications of mission-critical satellite communications (SATCOM), researchers have warned in a 25-page white paper titled “A Wake-up Call for SATCOM Security,” published Thursday by the Security consultancy IOActive.

Thousands of SATCOM devices found to be vulnerable and even if one of the affected devices compromised, the entire SATCOM infrastructure could be at risk, including Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.).

IOActive reported various vulnerabilities in Tactical Radios & Networking Terminals, including:
  • Harris BGAN Terminals
  • Hughes BGAN M2M Terminals
  • Cobham BGAN Terminals
  • Marine VSAT and FB Terminals
  • Cobham AVIATOR
  • Cobham GMDSS Terminals
According to the Guardian, British manufacturers Cobham and Inmarsat, as well as Harris Corporation, Hughes and Iridium in the US made such satellite systems that were easily hackable, and any foreign government or agency can track and target the location of units and soldiers.

According to the researchers, Harris RF-7800B terminals that offers a high-performance satellite solution for voice and data connectivity to military is also vulnerable to cyber attacks and successful exploitation could allow an attacker to install malicious firmware or execute arbitrary code.

Reported vulnerabilities also affect the US military aircraft equipped with the Cobham AVIATO, which is designed to meet the satellite communications needs of aircraft and a malicious attacker could disrupt flight communication.

IOActive is currently working with government CERT Coordination Center to alert each manufacturer to the security holes they discovered. "Until patches are available, vendors should provide official workarounds in addition to recommended configurations in order to minimize the risk these vulnerabilities pose." IOActive advised.

Several Tor Exit Nodes Vulnerable To Heartbleed Vulnerability
Half of the Internet fall victim to the biggest threat, Heartbleed bug and even the most popular online anonymity network Tor is also not spared from this bug.

Tor is one of the best and freely available privacy software, runs on the network of donated servers that lets people communicate anonymously online through a series of nodes that is designed to provide anonymity for users and bypass Internet censorship.

When you use the Tor software, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay or nodes, which can be anywhere in the world. An Exit relay is the final relay that Tor encrypted traffic passes through before it reaches its destination.

But some of these Tor exit nodes are running on the servers with the affected version of OpenSSL installed which are vulnerable to the critical Heartbleed Flaw. This means an attacker can grab the hidden information from the Tor network which is actually restricted by the Tor service, making it no more anonymising service.

Heartbleed is a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data in the plaintext, that the server did not intend to reveal.

By exploiting Heartbleed bug on the affected nodes, anyone could find the internal information relating to Tor network that could compromise the security and privacy of the whole network.

In response to this threat, Tor Project leader as well as Tor’s co-developer Roger Dingledine, has rejected 380 vulnerable exit nodes suggesting on the Tor mailing list that the exit nodes running the vulnerable versions of OpenSSL should be blacklisted from the network.

"If the other directory authority operators follow suit, we'll lose about 12% of the exit capacity and 12% of the guard capacity," he writes on the software's mailing list.

Tor promises anonymity to its network users by using proxies to pass encrypted traffic from the source to destination, but the heartbleed bug gives all the hackers privilege to exploit a vulnerable exit node in order to obtain the traffic data, making its users exposed on the Internet.

The first list of rejected exit nodes is released by the Dingledine and he stressed that the affected nodes will not be allowed back on the network even after being upgrade.

I thought for a while about trying to keep my list of fingerprints up-to-date (i.e. removing the !reject line once they've upgraded their openssl), but on the other hand, if they were still vulnerable as of yesterday, I really don't want this identity key on the Tor network even after they've upgraded their OpenSSL,” Dingledine wrote.

Tor service was also targeted by the U.S. intelligence agency NSA, revealed by a classified NSA document titled ‘Tor Stinks’ leaked by Edward Snowden. The document shows the interest of NSA in tracking down all Tor users and monitoring their traffic.

Also the recent allegations on the agency using the Heartbleed bug from years to gather information suggests the agency may have used it to track down Tor users. Although the NSA denied the claims of exploiting the Heartbleed bug in order to gather any type of information.

Also Read: How a 19-Year-Old Teenager arrested for Exploiting the most critical Heartbleed Bug to steal private information from the Canada Revenue Agency (CRA) website.