La CNBV expone públicamente información sensible de 1,700 usuarios, documentos e información interna.

Exponer información sensible a internet es un tema delicado, principalmente cuando los motores de búsqueda como Google pueden estar en contra tuya gracias a las malas prácticas o malas configuraciones implementadas en los sistemas.

Así como durante Abril del 2016 la lista de 93 millones de votantes mexicanos estaba expuesta públicamente en servidores de Amazon, esta vez uno de los sistemas internos de la Comisión Nacional Bancaria y de Valores exponía registros de 1,700 usuarios mexicanos, extranjeros, internos, externos, de entidades bancarias, instituciones educativas, entre otros.

Continue reading “La CNBV expone públicamente información sensible de 1,700 usuarios, documentos e información interna.”

Share

Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability

What is Asus Control Center?

ASUS Control Center is a whole new centralized IT management software. The software is capable of monitoring and controlling ASUS servers, workstations, and commercial products including notebooks, desktops, All-in-One (AiO) PCs, thin client, and digital signage.

Continue reading “Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability”

Share

١٠١ – دليلك فى البرمجة ومجال امن وحماية واختبار اختراق تطبيقات الويب

“101 دليلك فى البرمجة ومجال امن وحماية واختبار اختراق تطبيقات الويب”

“ازاى ابدأ فى مجال اختبار اختراق تطبيقات الويب؟” – “ازاى ادخل مجال ال Web Application Security Pentesting” دا مثال للأسئلة اللى بنستقبلها مراراً وتكراراً، كنت كتبت بوست قبل كدا بيشرح كل دا من A to Z هنزله النهارده تانى بس فى صورة مقال علشان يبقى سهل الرجوع ليه.

فى المقال دا حاولت بقدر الامكان انى اجاوب فيه على كل الاسئلة اللى اتسألتلى فى الفتره اللى فاتت وعن معظم الاسئلة اللى هتجول فى خاطرك علشان تبدأ بسهولة فى مجال القرصنة الاخلاقية Ethical Hacking او تحديداً وبشكل ادق مجال حماية وامان واختبار اختراق تطبيقات الويب Web Application Penetration Testing فى صورة نصائح لراغبى البدء فى اى منهم، النصائح دى بتتلخص فى بعض النقاط وهى:

Continue reading “١٠١ – دليلك فى البرمجة ومجال امن وحماية واختبار اختراق تطبيقات الويب”

Share

Fuga de datos en Aliada, la limpieza empieza por la casa…

Hace algún tiempo mientras realizabamos una búsqueda en Google de archivos con extensión “TXT”, nos encontramos con que Google había indexado un archivo de una URL que contenía un nombre muy familiar… Aliada.

Para los que no conocen que es Aliada, aquí la descripción que se encuentra en su sitio web:

“Aliada es la plataforma que permite crear la conexión ideal entre mujeres que pueden ofrecer servicios de limpieza y personas que necesitan ayuda en su casa u oficina.”.

Continue reading “Fuga de datos en Aliada, la limpieza empieza por la casa…”

Share

Hijacking User’s Private Information access_token from Microsoft Office360 facebook App

Hi Guys, Today i would like to show you how a single misconfiguration issue would jeopardize the user’s privacy if maliciously exploited hence hijack user “access_token” from Microsoft Office360 facebook App. Microsoft decided that this Office365 facebook app is NOT under their Microsoft Online Services bug bounty scope although we proved that our discovered bug can result in stealing Microsoft Office facebook App Access Token and that’s due to a misconfiguration in Microsoft Office Facebook App itself.

Continue reading “Hijacking User’s Private Information access_token from Microsoft Office360 facebook App”

Share

Multiple Cross-Site Scripting Vulnerabilities in Crea8Social Social Network Script

 

During a quick trial security assessment (not fully tested) of Crea8Social Social Network Script our team at Seekurity.com SAS de C.V. identified several severe Cross-Site Scripting Vulnerabilities in the platform that been widely used on the internet to create your own social network website (BTW this script used in the alleged new Egyptian Facebook named as EgFace.com). Our team responsibly contacted the vendor of the script but we got no answer and based on our Seekurity responsible disclosure rules which is a 90-day-disclosure-deadline or NON-Responsive vendor the bug details became visible to the public through our official communication channels.

Continue reading “Multiple Cross-Site Scripting Vulnerabilities in Crea8Social Social Network Script”

Share

Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!

(Photo Illustration by Thomas Trutschel/Photothek via Getty Images)

Hi Guys, I hope all of you are doing great and in a well state.

Today i will show you a ClickJacking bug i found in Instagram that allowed me to iframe ajax responses and leads attackers to steal your instagram connected applications tokens hence hijack your account!

Continue reading “Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!”

Share

The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability!

Hi Guys, How are you doing? Well i’ll consider and hope the answer is “Fine”… Today i will show you a bug i found in Facebook without even using any kind of testing tools BUT those kind of bugs requires what’s more than tools, it requires a hawk-eye, A platform-aware bug hunter mentality, a poet and an awesome morning cup of coffee, So don’t expect to gain technical skills from this blog post, only some pro tips and hunting mentality experience!

This is merely the second time i’m sending a report to Facebook Security Team without writing a piece of code!

Continue reading “The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability!”

Share

The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations!

Hi Folks, Long time no see, it’s Seif Elsallamy, Remember me ? if not 🙁 you may go through my previous blogs Stored XSS in the heart of the Russian email provider giant (Mail.ru)  ,  Rolling around and Bypassing Facebook’s Linkshim protection on iOS

Today I’m gonna show you a race condition bug which i recently fall in love with those kind of vulnerabilities especially in when it comes to Facebook also i want to mention that this bug is super simple to understand It’s not complicated, the only complicated part is how to test and finding it.

Continue reading “The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations!”

Share

CVE-2017-17713 and CVE-2017-17714 – Multiple SQL Injections and XSS Vulnerabilities found in the Hackers tracking tool “Trape” from “Boxug”

[-] About the Tool:

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

Continue reading “CVE-2017-17713 and CVE-2017-17714 – Multiple SQL Injections and XSS Vulnerabilities found in the Hackers tracking tool “Trape” from “Boxug””

Share