By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.

An exploit for a vulnerability in Tor Browser was delivered today in a tweet that left sufficient room for comments. A security vulnerabilities broker disclosed the details because it no longer served its purpose. The exploit was part of Zerodium's portfolio and worked for Tor Browser 7.x. It existed in the NoScript component, which is a browser add-on that stops web pages from executing JavaScript, Flash, Java or Silverlight. An exploit that one can only assume Zerodium paid good money for, is just a matter of setting the Content-Type of the attacker's HTML/JS page, or a hidden service in the Tor network, to "text/html/json," to suppress any reaction from NoScript and permit all JavaScript code through. The bug worked when the user configured NoScript to block out all JavaScript by selecting the add-on's "Safest" security level. The recently released Tor Browser 8 is based on the new Firefox Quantum engine and did not inherit the flaw; neither is the latest NoScript version, which was re-written as a web extension. Zerodium burning this exploit was also prompted by the fact that Tor Browser, like all modern browsers, comes with an auto-update mechanism, which is enabled by default. This makes sure that users are not affected in any way by exploits that have already been addressed. One can disable this feature from the 'app.update' parameter in the 'about:config' menu. While some users prefer to deploy updates manually for sensitive software such as Tor Browser, the mechanism proves beneficial in such instances. There's more on OUR FORUM.

Apple removed today a very popular anti-malware app called Adware Doctor from the Mac App Store because it was gathering browsing history and other sensitive information without a user's permission and then uploading it to someone in China. Adware Doctor is promoted as an anti-malware and adware protection program that claims to be able to protect your Mac from malicious files and browser from adware. This program was the #1 paid utility in the Mac App Store with a 4.8-star rating and over 7,000 reviews. While it may have had the ability to remove infections on your Mac, it was also discovered to be quietly uploading a user's personal data without their permission to a remote site. This behavior was first discovered by a security researcher named Privacy 1st who noticed that Adware Doctor would gather a user's browsing history from the Chrome, Safari, and the Firefox browsers, a list of running processes, and App Store search history. This information is then stored in a password protected zip file called history.zip. After the history zip was created, it would be uploaded to a remote server. In a blog post released today, Patrick corroborates Private_1st's findings and provides a detailed analysis of how the program would secretly gather a user's browsing habits and application details and then upload it to a remote host. When Adware Doctor uploaded a user's data, it would send the history.zip file to a remote host named adscan.yelabapp.com. While this domain is hosted on Amazon AWS servers, its DNS records clearly show that it is administered by someone from China. Continue reading on OUR FORUM.

The browser extension for the Keybase app fails to keep the end-to-end encryption promise from its desktop variant. Keybase is a communication and collaboration application focused primarily on securing the traffic from source to destination through public-key cryptography. Wladimir Palant, the maker of popular AdBlock Plus content filtering tool, looked at how the web extension for Keybase works and noticed that the messages it sends are exposed to third-party JavaScript code. The extension adds a "Keybase Chat" button into profiles pages for Facebook, Twitter, GitHub, Reddit, and Hacker News. Clicking on the button opens a chat window where users can type their message. "When you compose your text and 'send' it, the extension passes it to your local copy of Keybase, which encrypts the message and sends it through Keybase chat," informs the FAQ section for the Keybase Chrome and Firefox extension. And herein lies the issue signaled by Palant: messages are not encrypted until they reach the desktop app; Keybase injects its button into web pages, but it does not isolate itself from them. "So the first consequence is: the Keybase message you enter on Facebook is by no means private. Facebook’s JavaScript code can read it out as you type it in, so much for end-to-end encryption," Palant explains. Check it out at OUR FORUM.

Microsoft is reportedly working on a modular platform codenamed Windows Core OS. Last month, a Microsoft job posting revealed additional details of Microsoft’s modular OS. Today, a LinkedIn profile has surfaced online, giving us a peek at what Windows Core OS might be about. Today, we have come across an alleged LinkedIn profile of a Microsoft software engineer who was working on the Windows Core OS (WCOS) project. The profile page has revealed that Windows Core OS is not only a modular platform but also a security-focused operating system. The LinkedIn profile hasn’t revealed the release date or any other interesting details of the Windows Core OS but it looks like Microsoft is planning to enable the next generation security features in WCOS at the OS image level. “Our project was one of the first Windows Core (WCOS) based projects to migrate to the new image build system tooling designed to enable the next generation security features of the operating system at the OS image level,” the profile reads. This “next generation security features” hints at many security features that could make their way to future versions of Windows — something Synaptics has confirmed during a conference. To recall, during a conference between Synaptics and AMD, the companies discussed how biometrics could secure the “next-generation” Windows operating system. While there’s no mention of WCOS anywhere in the call, it’s certainly possible that the two companies were referencing to Windows Core OS in their mention of a next-generation Windows. Find out more on OUR FORUM.

 

Millions of home Wi-Fi networks could be easily hacked, even when the network is protected by a strong password, thanks to a flaw in Chrome-based browsers. Researchers at cybersecurity and penetration testing consultancy SureCloud have uncovered a weakness in the way Google Chrome and Opera browsers, among others, handle saved passwords and how those saved passwords are used to interact with home Wi-Fi routers over unencrypted connections. By design, Chrome-based browsers offer to save Wi-Fi router administration page credentials and re-enter them automatically for users' convenience. As most home routers do not use encrypted communications for management tasks, the researchers were able to exploit this automatic credential re-entering to both steal the router login credentials and use them to capture the Wi-Fi network password (PSK) with only a single click required by the user for the attack to succeed. The weakness applies to any browser based on the Chromium open source project, such as Google Chrome, Opera, Slimjet, Torch, and others. Any router that has an administration portal delivered over cleartext HTTP by default (or enabled) would be affected by this issue, which makes router and device updates impractical. The issue was responsibly disclosed to Google's Chromium project (which develops the code for Chrome and other browsers) on March 2nd, 2018. Chromium responded the same day, saying that the browser feature was ‘working as designed’ and it does not plan to update the feature. More details are posted on OUR FORUM.

A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality, he is exposing the pitfalls of not knowing how to properly configure a hidden service. One of the main purposes of setting up a dark website on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark website, though, the administrator must configure the web server properly so that it is only listening on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet. Yonathan Klijnsma, a threat researcher lead for RiskIQ, has discovered that there are many Tor sites that utilize SSL certificates and also misconfigure a hidden service so that it is accessible via the Internet. As RiskIQ crawls the web and associates any SSL certificate it discovers to it's hosted IP address, it was easy for Klijnsma to map a misconfigured hidden Tor service with its corresponding public IP address. "The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well," Klijnsma told BleepingComputer. "This is especially true if they don't use a firewall. These servers should be configured to only listen on 127.0.0.1." When asked how often he sees misconfigured servers that expose their public IP address, he told us that it is quite common. "Continuously. I'm not even kidding. Some don't listen on http/http, so I don't know what they are, but they have onion addresses and live on both clear and dark web. Get better informed by visiting and joining OUR FORUM.