Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Saturday, March 09, 2013 Mohit Kumar

Google Drive is the new home for Google Docs, that users can access everywhere for Storing files safely. In a recent demonstration hacker successfully performed an attack on Google Docs to trick users to grab their Facebook, Gmail, Yahoo credentials with Credit Card Information.

Security researcher Christy Philip Mathew came up with combination of Clickjacking and CSRF vulnerabilities in Google's Docs that can allow a hacker to create a document in victim's Drive for further phishing attack.

For those who are not aware about Clickjacking, It is a technique where an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
He explain how this technique can be executed to pwn a Google user to steal victim's all type of credentials with a phishing attack. Here attacker need to send a Malicious URL to the victim, where victim needs to interact with some buttons only.

Vulnerability allow hacker to trick Google user to create an document in victim's drive, which is actually owned by attacker and the victim. To perform a successful phishing attack, an attacker can carefully craft that document maliciously.

POC uploaded here and Demonstration Video as shown below:

After analyzing the possible threats of this vulnerability, I prepare an example for THN readers, where attacker can rename the document to something "Google GooPass" (imaginary service for storing passwords and important information secretly in Google drive) and crafted a simple design that can phish users to enter their Credit card information, Google, Facebook username password etc, as shown below:


Victim can be led to believe that it's a Google default file or Service to save all type of personal information secretly at one location. Because attacker and victim, both are the owner of this new file, where attacker can make the document public for further access after removing himself from ownership of that document.

At the end, victim is only owner of the document (which is now public) and if phishing attempt works, hacker will be able to see all updates remotely, anytime - anywhere!

Note : 
  1. Vulnerability is not fixed yet, we urge Google to fix this as soon as possible to assure maximum security to Google users.
  2. There is no Google service called 'Google GooPass', the term is just used to trick victim for phishing purpose.

Thursday, December 27, 2012 Anonymous

cPanel is a Unix based fully featured popular web based hosting account control panel that helps webmasters to manage their domains through a web browser. The latest version of cPanel & WHM is 11.34, which is vulnerable to multiple cross site scripting.

During my bug hunting process, today I (Christy Philip Mathew) discovered some serious XSS vulnerabilities in  official cPanel, WHM. It also impact on the latest version of software.

This week, Rafay Baloch (Pakistani white hat hacker) also discovered another reflective cross site scripting vulnerability in cPanel at manage.html.

The interesting part would be the whole demonstration I done with the Official cPanel Demo located at http://cpanel.net/demo/ location, can be accessed via demo user & password provided by cPanel website itself i.e. http://demo.cpanel.net:2086/login/?user=demo&pass=demo

These vulnerabilities actually affect the logged in users. Proof of Concept and screenshots are as shown below:

Cross Site scripting in Official WHM
  1. Login to WHM via : http://demo.cpanel.net:2086/login/?user=demo&pass=demo
  2. In left panel, click 'Server Configuration' and then 'Basic cPanel & WHM Setup' and new page will ask user to fill 4 Nameservers values regarding domain.
  3. Enter alert JavaScript in any of these four text boxes, as shown below and Submit




Cross Site scripting in Official cPanel
  1. Access the Official Cpanel Demo at http://x3demob.cpx3demo.com:2082/login/?user=x3demob&pass=x3demob
  2. Once logged in , access Bandwidth Transfer Detail (detailbw.html), and inject JavaScript in parameter "domain" or one can access this URL.



Cross Site scripting in WebMail server
  1. Similar way, access demo Webmail via URL : http://x3demob.cpx3demo.com:2082/xferwebmail/
  2. Once logged in XSS Vulnerable URL is : Click Here
  3. Here on page clientconf.html , the parameter "acct" is not filtered properly , as shown



More Details

  • Product: Cpanel & WHM
  • Security-Risk: High
  • Remote-Exploit: yes
  • Vendor-URL: http://www.cpanel.net
  • Affected Products: Cpanel's Latest Version
  • Solution: Proper input sanitisation.
  • Discovered by: Christy Philip Mathew, Security researcher @ The Hacker News
Photo of Mohit Kumar Hacker News - Founder and Editor-in-Chief of 'The Hacker News'. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. ()

Tuesday, November 13, 2012 Mohit Kumar

Bug Bounty program, where white hat hackers and researchers hunt for serious security vulnerabilities and disclosing them only to the vendor for a patch , In return vendors rewards them with money.

Various famous websites like Facebook , Google , Paypal , Mozilla, Barracuda Networks and more other giving away bug bounties in thousands of Dollars to hackers for finding vulnerabilities.

Most common vulnerabilities reported maximum time on various sites is Cross site scripting and each month hackers submit lots of such vulnerabilities to companies.

In case your report is duplicate, i.e. Someone else before you submit the same vulnerability - company will reject you from the bug bounty program. But there is no proof or an open Panel where hacker can verify that is someone already reported for same bug before or not. If company reply you - "The bug was already discovered by another researcher" , can you do anything  even after knowing that you are very first person who found it ? I guess, NO !

Something similar happens to me even 17 times this year, when I ( Mohit Kumar ) reported various bugs in Google and Facebook , and always reply was - "We are aware about the issue, so you are not eligible for bounty program". The Question is, THEN WHY THE HELL YOU ARE STILL VULNERABLE ?
Paypal being the largest eCommerce business offer's Bounty to its security researcher's for reporting the vulnerabilities discovered and keeping it confidential. One of my close friends and Security researcher Christy Philip Mathew discovered total 8 vulnerabilities in Paypal this year, out of which 6 'The Hacker News' reported directly without going for Bug Bounty Program and latest two he submitted to PayPal before this disclosure article.

This time reply was same, "According to the terms and conditions Bounty is awarded to the first person that discovers the previously unknown bug."

The two vulnerabilities submitted by Christy was Cross site scripting in https://ic.paypal.com and iFrame Vulnerability at https://cms.paypal.com . 

XSS was reported on 12th October 2012 and Paypal replied on 16th October 2012 ( 4 days to think that, should we give bounty to this guy ? ) With message "We regret to inform you that your bug submission was not eligible for a bounty for the following reason. The bug was already discovered by another researcher". On asking, can you proof or provide contact of that researcher who find it before him,  there was not a single reply from Paypal after that.

Where as iFrame was reported on 10th October 2012 and Paypal reply on 7th November 2012 ( 1 month almost to discuss with founder that, if they ran out of budget this year then should we again reject to give bounty ? ). So, again the reply was - "The bug was already discovered by another researcher".

Are bounty programs playing fair with hackers and researchers ? We agree that there are millions of dollars distributed to hackers under the bug bounty program, but can anyone prove that they are paying for each and every legitimate submission ?

Majority of chances that, companies are not paying for each bug to the hunters and replying them - "we know about the issue". Well here hacker can prove this, Please note that - two vulnerabilities were reported by my friend to Paypal about 34 Days ago from the time of writing this article and even Paypal security team replied that they know the bugs, but still these vulnerabilities are working and Live.

For Readers we are going to disclose the Links below (Because now a hacker is not eligible for Bounty and Paypal team is really not serious about security of their own users)

Link for iFrame : Click Here (Open in Firefox)
Link for Cross site scripting : Click Here (Open in Firefox)
(Update: XSS fixed by PayPal just after posting this disclosure, but iFrame still working)

Screenshots are given below:


The Hacker News always motivates hackers to first Disclose vulnerabilities to vendors, because we take SECURITY IN A SERIOUS WAY. But what inspire hackers to sell stuff to underground market or to do PUBLIC DISCLOSURE is an irresponsible response of the Administrators.

Thousands of sites, programs and servers are today still vulnerable to hackers and there were researchers who contributed to the security of same companies even before the bounty program began.

One more thing, I want to mention here that - If we look Bug Bounty White Hat Hackers Lists, you will find 50% of reward hackers who even don't know how to code a website in PHP or ASP , but they are a hacker !  (Note: Rest 50% are much good in knowledge and I respect most of them like My other friend Avram Marius - known for Hunting hundreds of Bugs). 

At least I would like to suggest big companies to make a transparent Bug Bounty Panel where hackers can at least see that, before them someone really submit similar bug and companies should at least fix/restrict the venerable pages as soon as possible.

Note : Today we also report about a Cross Site scripting bug in Apple.com and reported the Apple Security Team, Reply was,"We already aware about the issue, Thank you" - Question is still same, then Why you didn't take any quick action ? And Even if I was the second person to inform about that, then why the bug is exploitable till now ?

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!