PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!

TL;DR A year ago we have been contacted by one of our clients from Middle east regarding looking for/implementing a payment processing solution for their own eCommerce solution and asked us to assist them in order to give them some candidates working in the same field in the middle east but we refused because our job is to assess not to suggest specific names, they suggested us some names but one among those names were a name-with-a-reputation but they ended up not choosing this name due to insecure implementation.

Continue reading “PAYFORT – Multiple Security Issues and Concerns in a PCI/DSS compliant payment processor SDK!”

Share

تحقيقات: مجرم و ايفون و راسبرى باى

واحده من الحاجات اللى احنا مميزين فيها بالاضافه للخدمات التانيه اللى بنقدمها هيا ال Investigations، معظم التحقيقات اللى دخلنا فيها ك Seekurity​ كنا بنقدم نتايج دقيقه بنسبة ٩٩٪ ودا بسبب التكنيكس اللى بنتبعها بحسب خبرتنا فى المجال، فى البوست دا حبيت اشارك معاكم تكنيك اتبعناه من حوالى 3 سنين وحبه تقريباً لما كنا شغالين مع شركة X اللى كانت عندها شغل و deals مع الحكومه وعلى اتصال بردو بالبوليس المكسيكى فى واحده الحقيقه من اعجب ال cases اللى اشتغلت عليها، البوست هنا تيكنيكال بحت لانى مش هتطرق لاى تفاصيل ليها علاقة بالقضية نفسها (لا اسماء ولا اماكن ولا الخ..) لاننا كنا تحت “اتفاقية عدم فصح مؤقته temporary non-disclosure agreement” وبالرغم من ان وقتها دا انتهى الا انى بردو مش هتطرق لتفاصيل ملهاش لازمه فى الموضوع اللى انا عايز اتكلم فيه.‬

Continue reading “تحقيقات: مجرم و ايفون و راسبرى باى”

Share

Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!

Hi Guys,
I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook fixes for 4 consecutive years.In case you are not familiar with concepts, take a sneak peak on the previous blog before continuing with this one ;).

Continue reading “Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!”

Share

Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features

 

Introduction:

Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!

Yammer is a freemium enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user’s Internet domain so that only individuals with approved email addresses may join their respective networks.

Continue reading “Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features”

Share

When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure!

badoo10

Your privacy on the internet is the biggest concern ever and when it comes to “Dating websites” and “Social Networks” it means more and more!

Let me tell you a story of two websites that don’t respect yours and putting it on danger…

Continue reading “When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure!”

Share

Facebook ClickJacking – How we put a new dress on Facebook UI

facebook-banner

Hi Bug Hunters,

Today we will explain how we redressed facebook ui and made it so easy to fool a victim to for example, Add the attacker as a member in one of his own secret groups on facebook.

Here’s some details about the issue:

Share

VoIP Security Analysis with Asterisk

fb-1
Adopting new technologies such as VoIP by small, medium and large companies,
isn’t only  about the benefit representing a decrease in costs, is about an risk increase exposure too,
which can be reflected in the payment of  large sums of money , because (national or international)
calls made by people outside the company.
Share