Trick or threat: De la confianza al sexting, la extorsión y el ciberacoso.

El pasado 31 de Noviembre fuimos invitados por la comunidad de Women Who Code Mexico City para dar una charla relacionada a la Seguridad Informática en las oficinas de Linio México.

Nuestra charla se enfocó en 3 temas “Sexting, extorsión sexual y el Ciberacoso“, ya que en los últimos años, los casos de extorsión sexual y el ciberacoso por parte de ex-parejas (principalmente) han aumentado considerablemente.

Continue reading “Trick or threat: De la confianza al sexting, la extorsión y el ciberacoso.”

Share

PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!

TL;DR A year ago we have been contacted by one of our clients from Middle east regarding looking for/implementing a payment processing solution for their own eCommerce solution and asked us to assist them in order to give them some candidates working in the same field in the middle east but we refused because our job is to assess not to suggest specific names, they suggested us some names but one among those names were a name-with-a-reputation but they ended up not choosing this name due to insecure implementation.

Continue reading “PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!”

Share

تحقيق وتحليل تقنى: جريدة الاهرام النسخة الانجليزية تقوم بإستخدام اجهزة الزوار لتعدين عملات رقمية بتكنيك مختلف وجديد!

موضة جديدة اتبعتها المواقع حديثا وهيا الكسب من خلال تعدين العملات الرقمية بدلا من استخدام اعلانات Google Ads او اى خدمة اعلانات اخرى على امل تحقيق مكسب اسرع، فى التحقيق دا هنتكلم عن جريدة “الاهرام اونلاين” وتعدين العملات الرقمية، واحد من متابعينا بتاريخ ٩ نوفمبر ٢٠١٨ بعتلنا على الصفحة الرسمية ل Seekurity ان موقع “جريدة الاهرام اونلاين النسخة الانجليزية” فيه مشكله وانه كل ما بيدخله اللابتوب بتاعه بيبدأ يبقى بطئ ويسخن، اول ما شوفت الرسالة وبدون حتى اى تفكير عرفت ان الموقع بيقوم بعمل تعدين لعملة رقمية ما.

Continue reading “تحقيق وتحليل تقنى: جريدة الاهرام النسخة الانجليزية تقوم بإستخدام اجهزة الزوار لتعدين عملات رقمية بتكنيك مختلف وجديد!”

Share

CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!

Today’s discovery is not a big deal too, just another Clickjacking in the world, but this time in the newly added “OPT-IN” feature by coinhive and authedmine but first let’s know some terms before we begin.

What is Coinhive?

Coinhive is a cryptocurrency mining service that relies on a small chunk of javascript code designed to be installed on Web sites.

Continue reading “CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!”

Share

Hak5 C2 (Cloud Command and Control) Self-hosted Server ClickJacking Vulnerability

Today’s discovery is not a big deal, just another Clickjacking in the world, this time in Hak5’s C2 (Cloud Command and Control) Server

First, let us know what is Hak5’s C2 (Cloud Command and Control) Server?
Hak5 C2 is a cloud self-hosted penetration testing platform lets you perform “Pentest from Anywhere” by connecting and using your Hak5 gear/products (WifiPineapple, Packet Squirrel or Lan Turtle) to a one unified dashboard and control those devices remotely through the cloud server.

Continue reading “Hak5 C2 (Cloud Command and Control) Self-hosted Server ClickJacking Vulnerability”

Share

Campaña de extorsión sexual: Su cuenta (john@doe.com) fue pirateada

Una campaña de extorsión está tomando por sorpresa a muchas personas y al día de hoy (25-Sept) ha recaudado 0.66982408 Bitcoins (Aproximadamente $4,288.51 dólares) y la cifra seguirá aumentando.

URL al Wallet: https://seekurity.com/services/goto/3i

El mensaje pretende haber sido enviado por un extorsionador que ha “hackeado” su computadora y ha activado la cámara web de la computadora para grabar un video tuyo mientras mirabas pornografía.
Continue reading “Campaña de extorsión sexual: Su cuenta (john@doe.com) fue pirateada”

Share

United Nations (UN) – A tail of leaking thousands of Job Applicants CVs and documents online, Path Disclosure and Information Disclosure Vulnerabilities!

In this blogpost we will clarify how we found A tail of vulnerabilities from leaking thousands of Job Applicants CVs and documents online to Path Disclosure and Information Disclosure Vulnerabilities in one of United Nations WordPress websites but first what is United Nations?

The United Nations (UN) is an intergovernmental organization tasked to promote international co-operation and to create and maintain international order. A replacement for the ineffective League of Nations, the organization was established on 24 October 1945 after World War II with the aim of preventing another such conflict. At its founding, the UN had 51 member states; there are now 193. The headquarters of the UN is in Manhattan, New York City, and is subject to extraterritoriality. Further main offices are situated in Geneva, Nairobi, and Vienna. The organization is financed by assessed and voluntary contributions from its member states. Its objectives include maintaining international peace and security, promoting human rights, fostering social and economic development, protecting the environment, and providing humanitarian aid in cases of famine, natural disaster, and armed conflict. The UN is the largest, most familiar, most internationally represented and most powerful intergovernmental organization in the world. –Wikipedia

Continue reading “United Nations (UN) – A tail of leaking thousands of Job Applicants CVs and documents online, Path Disclosure and Information Disclosure Vulnerabilities!”

Share

Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!

Hi Guys,
I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook fixes for 4 consecutive years.In case you are not familiar with concepts, take a sneak peak on the previous blog before continuing with this one ;).

Continue reading “Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!”

Share

La CNBV expone públicamente información sensible de 1,700 usuarios, documentos e información interna.

Exponer información sensible a internet es un tema delicado, principalmente cuando los motores de búsqueda como Google pueden estar en contra tuya gracias a las malas prácticas o malas configuraciones implementadas en los sistemas.

Así como durante Abril del 2016 la lista de 93 millones de votantes mexicanos estaba expuesta públicamente en servidores de Amazon, esta vez uno de los sistemas internos de la Comisión Nacional Bancaria y de Valores exponía registros de 1,700 usuarios mexicanos, extranjeros, internos, externos, de entidades bancarias, instituciones educativas, entre otros.

Continue reading “La CNBV expone públicamente información sensible de 1,700 usuarios, documentos e información interna.”

Share

Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability

What is Asus Control Center?

ASUS Control Center is a whole new centralized IT management software. The software is capable of monitoring and controlling ASUS servers, workstations, and commercial products including notebooks, desktops, All-in-One (AiO) PCs, thin client, and digital signage.

Continue reading “Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability”

Share