Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Friday, October 09, 2015 Swati Khandelwal

WordPress-Brute-Force-Amplification-Attack
Most of the times, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time security researchers have discovered Brute Force Amplification attacks on the most popular CMS (content management system) platform.

Researchers from security firm Sucuri have found a way to perform Brute Force amplification attacks against WordPress' built-in XML-RPC feature to crack down administrator credentials.

XML-RPC is one of the simplest protocols for securely exchanging data between computers across the Internet. It uses the system.multicall method that allows an application to execute multiple commands within one HTTP request.

A number of CMS including WordPress and Drupal support XML-RPC.

But…

The same method has been abused to amplify their Brute Force attacks many times over by attempting hundreds of passwords within just one HTTP request, without been detected.

Amplified Brute-Force Attacks


This means instead of trying thousands of usernames and password combinations via login page (which can be easily blocked by banning IPs), hackers can use the XML-RPC protocol in conjunction with the system.multicall method that allows them to:
  • Go undetected by normal brute-force mitigation products
  • Try hundreds of thousands of username and password combinations with few XML-RPC requests.
"With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts," Sucuri's researchers wrote in a blog post.
WordPress-Brute-Force-Amplification-Attack
The company witnessed the first attack of this kind at the beginning of last month, which then sky-rocketed to around 60,000 per day by the start of this month.

How to Prevent Brute-Force Amplification Attack via XML-RPC


To protect yourself against such threat, simply block all access to XML-RPC.

If you are not using any plugin that uses the xmlrpc.php file, just head on to rename/delete it. But, if you are using plugins such as JetPack, blocking xmlrpc.php may result in some broken functionality on your website.

So, webmasters could block XML-RPC system.multicall requests using a WAF (web application firewall). This will protect you against the amplification methods.

Friday, January 02, 2015 Mohit Kumar

Hacker Released 'iDict' Tool That Can Hack Your iCloud Account
Hackers have a great start of new year 2015, giving a public threat to Apple’s online iCloud service. A hacker using the handle "Pr0x13" has released a password-hacking tool to GitHub website that assures attackers to break into any iCloud account, potentially giving them free access to victims’ iOS devices.

The tool, dubbed iDict, actually makes use of an exploit in Apple's iCloud security infrastructure to bypass restrictions and two-factor authentication security that prevents brute force attacks and keeps most hackers away from gaining access to users’ iCloud accounts.

Yes, the brute force security flaw in Apple’s iCloud file storage service that was responsible for celebrity nude photos leak, including Kim Kardashian, Vanessa Hudgens, Jennifer Lawrence, Rihanna, Kristin Dunst and Kate Upton, late last year.

Pr0x13 claims iDict to be a "100 percent" effective and simple to use method of cracking individual iCloud account login credentials. So, those using easy-to-guess passwords on their iCloud account are in more danger than those using a complex chain.

Despite countless warnings and advices in the past, online users are continuously using a weak strength of password chains such as "password," "12345678," "qwerty," "abc123," and "iloveyou", expecting that they couldn’t be a target of hack. But, now they need to worry about it.

iDict, currently hosted at GitHub, is limited by the size of the dictionary the tool uses to guess the password. At the time, the dictionary file only contains 500-word-long list of passwords. This means whilst it will succeed "100%" at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password. So if you are the one from the given 500-word-long list, your iCloud account is really at risk.

There is quite a low chance that this attack will actually work, but the attack would become an issue if someone with large set of resources gets access to the source code. A hacker with a much larger list of passwords might be able to compromise more accounts, however, we hope that Apple will patch this issue before this happens.

So far, we haven’t heard about any fallout from the release of the exploit, but users on Twitter and online discussion forum Reddit are saying that iDict is working as intended.

Pr0x13 says his intentions were only to alert Apple about the vulnerability, so that the company could fix the problem as soon as possible. The tool , according to the hacker, has been released to force Apple to act on the issue and nothing else. The company needs to fix the "painfully obvious" vulnerability before it's "privately used for malicious or nefarious activities," Pr0x13 explains on GitHub.

Apple needs to act fast on the issue to avoid another controversy like the celebrities' nude photo scandal of 2014, in which the brute force attack gave hackers access to countless personal and nude photographs of a number of high-profile celebs.

But, you just can’t rely fully on the company regarding your online security. As a precaution, first make sure that your password does not appear in Pr0x13’s password file and if it is change it immediately. Also change your password if you use a weak password! Moreover, enable two-factor authentication on all your accounts, if you haven't already.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!