Stored XSS in the heart of the Russian email provider giant (Mail.ru)

Hi, I’m Seif Elsallamy a bug hunter from Seekurity Team, Today i will show you a critical reflected Cross Site Scripting bug affecting mail.ru and could be used as an XSS worm but first let’s dive into some general information.

Share

Vulnerability in Metasploit Project aka CVE-2017-5244

  Hi Guys, I hope you all are fine and doing well. Yes you read it right, We managed to find a vulnerability in a framework used to exploit vulnerabilities! “Today is me tomorrow will be you” 🙂 Today we will talk about a CSRF vulnerability affects the web application of both versions (Express, Community […]

Share

Let’s steal some tokens!

  Hey There, How you doing? Good? Cool! In this blog post I will be talking about my experience with minor bugs chained together to steal sensitive tokens. #1. Stealing CSRF tokens through Google Analytics. While randomly testing things on apps.shopify.com, I landed at some random app page and hit the Write a review button, […]

Share

CyberTalents CTF web security challenges write-up

Hey Folks, My name is Mahmoud, a web application penetration tester, I have recently joined Seekurity and today I will share with you the details of the National Cyber Security CTF we recently had in Egypt. This year, CyberTalents organised a cyber security CTF in Egypt sponsored by Trend Micro which is probably the largest and […]

Share

Facebook Messenger and HSTS

Pic Source: zona3.mx/sites/default/files/Facebook-Messenger-iPhone-6.png This article was originally covered by Tom Spring of ThreatPost. On Tuesday, Seekurity Founder and Cyber Security Advisor, Mohamed A. Baset, published a proof-of-concept video demonstrating what he calls a Facebook flaw that allows an attacker to access audio or video files from Facebook servers and play them back. Facebook is dismissing […]

Share

Protected: Uber Vulnerability

There is no excerpt because this is a protected post.

Share

#OperationTakeDown: Netflix Phishing Attack & Analysis

Hi Folks, Days ago, one of our clients received an email with the next subject in Spanish: “Problemas con tu membresia de Netflix” (Problems with your Netflix membership). The email was in his SPAM folder with the follow caption: “Be careful with this message. It contains a suspicious link that has been used to steal […]

Share

BMW Vulnerabilities – Hijack Cars ConnectedDrive™ Service!

Hi Folks, Let me tell you the story about some typical vulnerabilities that was discovered by @Seekurity Team in BMW ConnectedDrive service which will allow any beginner attacker to hijack the whole service! . First what is BMW ConnectedDrive service? BMW ConnectedDrive – a technology packet full of services and apps that connects you closely to […]

Share

RunKeeper Stored XSS Vulnerability – Where worms are able to run too!

  RunKeeper is a GPS fitness-tracking app for iOS and Android with over 40 million users. First launched in 2008 by CEO Jason Jacobs with the help of “moonlighting engineers”. In late 2011 RunKeeper secured $10 million in a Series B financing, led by Spark Capital. In February, 2016, RunKeeper was acquired by ASICS.

Share

Cookie stuffing: How we are part of a fraud of millions of dollars

What is Cookie stuffing fraud? Is an activity which allows actors online to defraud affiliate marketing programs by causing themselves to receive credit for purchases made by web users (for this case users who made an online purchase in Amazon, Walmart, eBay or any other Online Store), even if the affiliate marketer didn’t actively perform […]

Share