On Feb 20, A student and cybersecurity researchers Robin Justin Posted a blog which contain the details of vulnerabilities which impact the Sarathi Parivahan ( the Website where Indian People apply for Driving and other RTO application) which comes under the Guidance of India Ministry of Road Transport and Highways.

The Issues which they face where portal allows citizen to appy the learner’s license for driving . But when they faced issues after a minute then he got hit and went to the RTO but at the end of the RTO said there are some issues but it was resolved soon.

What was the Issue?

The Researcher found that, to authenticate any application you need application number and date of birth. However, at an endpoint intended to check the application state was flawed where an attacker could supply a random application number to learn the associated applicants date of birth, address and driving license number and name and even pull the photos of individual.

The researcher Justin just explored and found the second vulnerabilities which only require Phone number and the applicant Date of birth to access the applicant application number.

The third vulnerability found was the public domain feature which has been too restricted to the administrator. The feature allowed the researcher to access the document uploaded by any applicant.

He quoted lastly “ This may impact the personal information of the individual who ever applied or issued License from Sarathi Parivahan , The application Number has been retrieved by entering mobile number and date of birth which may  have access to the application number then you can use application number and date of birth to access the applicants data which they uploaded on https://parivahan.gov.in/parivahan/ and here your personal data like name , Aadhar number, and all document which you uploaded.

This is not the END of the Problem

Even the whole scenario has been sent to the CERT-IN ( Computer Emergency Response Team- India ) and has not gotten a response from the other side . The researcher reached to the main issue which is a poorly-secured one-time Password (OTP system for a SYSadmin account.

Even he managed to login the portal of administrator account and granting him access of viewing applicant and their document. The researcher has been aslo the option to process application without any in-person verification checks, approved requests to change the license information and even gave access of PII of government staff working in regional transport officials. 

The main issue is that anyone with this level of knowledge can get all the information about the Aadhar card and passport of 185 Millions + applicants who hold an Indian Driving License. Even that person can generate as much as a driving License they want without knowing anyone.

What happens after Reporting 

After Reporting as the Justin sent the mail to CERT-IN and her sent in Nov 2022 but the response he never get but on Dec 5, 2022 he sent again to the official about the issue.

Finally on Jan 25 , 2023 the happy mail was received with confirmation of vulnerability resolved .

The post Exposing 185M+ Indian Personal Information, you be the next appeared first on Vednam.

The Vulnerability which was tracked is CVE-2020-3347 and this happened due to unsafe usage of shared memory of the Cisco Webex app.

From the Report of Trustwave SpiderLabs Security who said that the vulnerability which they discovered, if a user configured the client which has several memory-mapped files that are not protected from reading or writing.

“The Malicious user can open and dump the content of the file if they long to the machine. The simply put another user and can loop all the sessions and try to open, read and save interesting content for the future disturbance”

“The Vulnerability can be exploited by an attacker who has access to the system memory and this happens by running application on the local system”

If the exploitation of the vulnerability succeeds then it allows the attackers to retrieve sensitive information from the shared memory which includes usernames, meeting information, or authentication tokens that could help the attackers of the future attacks.

Cisco Webex meeting Desktop App for the Windows release earlier than 40.6.0 is affected with the same vulnerability and how cisco has released the patches and recommends the user to update the Cisco Webex application.

“After considering the software upgrades the customers also advised to regularly consult the advisories for cisco product which are available from the Cisco security advisories and alert page which determine the exposure and complete upgrade solution”

The Cisco Product Security Incident Response Team said the “they not aware of any malicious use of the vulnerability that is mentioned by the advisory”

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Cisco Webex Meeting: Windows User Sensitive Data at Risk appeared first on Vednam.

After Finding an article on HackersNews, Perimeter, Kaspersky and the final one are Sansec, the cyber attacker has now injecting data-stealing script inside the website to compromise the website as similar to the tracking code generated by the Google analytics for their own account and collecting the payment information entered by the users where the Content Security Policy (CSP) are enforced for maximum.

While the Kaspersky team mentioned, “ The threat actors are injecting malicious scripts which collect all the data which is entered by the user and then it is sent via Google analytics”. The result came that the attackers could access the stolen data in their Google Analytics account.

Many of the cybersecurity companies claim that they find even more than two dozen infected websites across the North and South America and some parts of the European countries where the company like Food products seller, Cosmetics, digital equipment, and the car or motorbike spare part.

Analysis

As the Sansec analyzed the tracking of this novel campaign since march 17th.There are several dozen stores and have been injected with the loader, which runs on google open storage platform

Fiirebasestorage.googleapis.com

The threat actor hinges on the premise and the e-commerce websites use Google’s web analytics services which track the visitors and the whitelisted domains that are associated with the Content Security Policy(CSP).

The CSP plays an important role in creating security measures that help to detect and mitigate the cyber threat actors to steam from cross-site scripting Vulnerabilities and the other forms of the code script which is used for injecting in attacks and also include those various Magecart groups.

When we talk about the security features which allow webmasters to define a set of domains then the web browser should have been allowed to instruct with a specific URL and there the untrusted code execution should be prevented.

“The Source of the problem is that the CSP rule system is not enough as the” PerimeterX researcher said. When you recognize and stop the above malicious Javascript request and require an advanced visibility solution that can detect the access and exfiltration of sensitive user data like email address and password.

The method used for data harvest that mainly uses the small piece of javascript code that transmits the collected details which consist of Credentials and payment information which can be created through events and other parameters that Google Analytics uses uniquely and identifies the action performed on the site.

The Kaspersky Note in the Blog “ When “Administrator Write*.google-analytics.com which are found in the Content security policy(CSP) Header(Basically used for the list resources from which the third party code can be downloaded) and that also allows the services to collect the data. The more facts that the attack can be implemented and executed without downloading code from the external sources.

To make the attacks more hidden the cyber threats are also as certain as the developer mode-The the feature that’s often used to spot network requests and security errors which are among the other things.

As the researcher mentioned about “ A possible solution would come from the adaptive URLs which can add the ID as part of the URL or subdomains that can allow admins to set CSP rules which restrict data exfiltration to the other accounts”

As the customer is unfortunate that there isn’t much you can do to safeguard yourself from form jacking attacks/ Turning the developer mode in browser can help when you make online purchases

But take care of unauthorization access and purchase or theft of identity.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Hackers Bypass the Google Analytics Security to stole the Credit Cards. appeared first on Vednam.

From the Blue Leaks, the data which is exposed or leaked by the DDoSecrets group which contains hundreds of sensitive documents from the past 10 years that may include official and personal information.

DDoSecrets of the Distributed Denial of secrets works the same as the WikiLeaks include transparency work. they publicly publish data and classified information that is submitted by the hackers while claiming the organizations themselves and never get involved in the extraction of the data.

As the hacktivist Group, the BlueLeaks dump having the information of “Police and FBI reports, guides, bulletins and more details which provide the unique insights into enforcement and a wide array of government activities that include the thousands of documents mentioning about the COVID19. 

We are gonna find a Screenshots of the Blue Leaks dump which show the data contains around millions of the files which include images, document, videos, web pages, text files, emails, audio files and more though they yet to investigate how many files are classified and that not supposed to be public.

The Blueleaks having the data which contained intelligence on protests include the recent countrywide “Black Lives matter” and that protest in the U.S which followed the death of George Floyd at the time when he was in the custody of Minneapolis.

The Blue Leaks have the list of U.S agencies are : 

• Alabama Fusion Center
• Austin Regional Intelligence Center
• Boston Regional Intelligence Center
• Colorado Information Analysis Center
• California Narcotic Officers’ Association
• Delaware Information and Analysis Center
• FBI Houston Citizens Academy Alumni Association
• FBI National Academy Association Arkansas/Missouri Chapter
• FBI National Academy Association Michigan Chapter
• FBI National Academy Association of Texas

When Finding it appears that the source of the massive data stems from a security breach at Houston-based web hosting ‘Netsential Inc’, and the web server for the National Fusion Center Association (NFCA) is hosted as security bloggers mention it.

The Fusion centers are having the information centers which enable intelligence sharing between local, territorial law enforcement, tribal and federal agencies which maximizing the ability to detect, investigate, prevent and respond to criminal and terrorist activities.

The NFCA confirmed that the “Data leaked was actually of around 24 years which are from August 1996 through June 19, 2020. The document which includes names, email addresses, phone number, PDF documents, images, and a large number of text, video, CSV and ZIP files”.

Netsential confirmed about the threat actor which had leveraged a compromised Netsential customer user account and the web platforms upload features and exfiltrated other Netsential customer data which include U.S police agencies.

NetSential is the same web hosting company that can previously be abused by the attackers that infect targeted victims with ransomware by sending spoofed spear-phishing emails.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post 269 GB of U.S Police and Fusion Centres Data Leaked Online appeared first on Vednam.

People Know about the Cognizant that it is one of the big IT firms which has more than 3 Lakh employees and it provides the IT services which include digital, technology, consulting, and operations services.

The Attack affect

The day April 17 is not good for the company, the first the internal system is hit by the Maze ransomware. The company has informed the clients about the attack and provided them with the indicator of compromise (IOCs) and the other technical information of defensive nature.

The company has initially learned that the attackers have staged and likely exfiltered a limited amount of data from the cognizant’s systems.

The company has further investigation that was found that the majority of the personal information was also exposed.

When we talk about the personal information that may impact the information related to our corporate credit cards.

The company has also informed all the associates who gave an active corporate credit card and they can offer credit and identity theft monitoring services.

The company has built a team and mentioned that they continue to monitor the account for any fraudulent activities and we have been informed that they have not seen an increase in fraud for our accounts.

Ransomware attacks have become an easy and malicious way of robbing individuals and companies can cost billions of dollars not to mention the privacy and safety implications.

The company also published the breach notification letter states that the Maze ransomware is active in the Cognizant network between April 9 and 11.

The post After Ransomware attacks Cognizant Confirms Data Breach appeared first on Vednam.

Talking about Godaddy

Godaddy is the world’s largest Internet domain registrar and the web hosting company the main headquarter is in Scottsdale, Arizona which is approximately 19 million customers and worldwide total employee connected with the organization is around 9,000 

Let’s take a look at the data breach

As the whole scenario came from the company is that they identified the suspicious activity on a subset of the server. The investigation found that an unauthorized individual has access to your login information which is used to connect the SSH on your hosting accounts. After that, the unauthorized user has been blocked by the systems and we can continue the investigation potential which impacts the across our environment.

As per information, it was cleared that the attacks the hosting accounts but not affect the main website user credentials and information is safe.

SSH 

SSH is a secure shell which is a cryptographic network protocol for the operating network services

Securely over an unsecured network. Basically SSH is used to access an organization’s most critical assets, organizations stick to the highest security level of SSH access and disable basic credentials authentication and use the machine identities. A threat intelligence specialist of venafi said that the implementation of the strong private-public key to authenticate a user and a system.

What are the measures taken by GoDaddy?

In the process of precaution to avoid unauthorization access to the hosting account with login information. For the safer side, the customers are requested to conduct an audit for their hosting accounts. Godaddy team has sent the breach notification letter and offered one year of free website security deluxe and express malware removal services to show this was not the customer’s fault.

Godaddy runs the scans on your website to identify and alert you of any potential vulnerabilities. If a special way to contact our security team and they will be there to help that all mentioned in the notification letter.

The post Open the Incident of Godaddy Data breach appeared first on Vednam.

Let me tell you that the DigiLocker is an online digital store where you can save your document and data where you can totally under the surveillance of the government. A few Days back a researcher discovered a new vulnerability in the Digi locker which compromised around 3.8 crore accounts.

The authentication flaw they had put the core of the user’s data at risk and the issue was identified by a security researcher last month.

The two-factor authentication which has this type of vulnerability can let the hacker access some of the sensitive private information of the users, but now the issue has been resolved and fixed.

The issue was found at the time of DigiLocker when the researcher analyzed the authentication mechanism. They also found that they obtained the default mechanism which asks for a one-time password that is (OTP) and a PIN to log the DIgilocker.

After getting the OTP which is capable of circumventing the authentication mechanism after putting an aadhar number and preventing the link to DigiLocker which simply modifies the parameter.

The Digilocker has a total of 38 million enrolled users which are cloud-based lockers that serve a digital platform to help the several online processing of records and faster performance of different government-to-citizen assistance.

The more important is the mobile number and aadhar card number used to sign up for the Digi locker.

The other security experts have also investigated the vulnerability of the Digi locker and they get the main reason as they mention soon.

https://twitter.com/digilocker_ind/status/1267873034645331969

INVESTIGATION

According to the security research member they came to find a vulnerability which is CERT_IN and the issue is determined on MAY 28. The detailed analysis which is discovered :

1. Weak SSL pinning mechanism in the mobile app
2. Secret PIN bypass/takeover- marked as critical
3. OTP bypass due to lack of authorization-marked as critical
4. Poor session mechanism in APIs-marked as high

Weak SSL pinning mechanism in the mobile app

The poor SSL pinning Mechanism in the mobile app and the app useless the weak SSL pinning which can bypass efficiently with the devices like Frida and also some acknowledged methods as well.

Secret PIN bypass/takeover- marked as critical

The secret pin bypass/takeover which is one of the flaws which was also marked as critical findings. Any API/URL pin can easily help the hackers to reset the new pin of any users without any authentication. For hackers this the easiest way to compromise the user data and that was the main reason for the critical issue.

OTP bypass due to lack of authorization-marked as critical

The OTP bypass is due to the lack of authorization which makes the situation more comfortable for the attacker. The easy way to implement the OTP validation is by presenting any valid users and then after it manipulates the flow to log in as a completely distinct user.

Poor session mechanism in APIs-marked as high

The poor session of the APIs mechanism is found to be a higher risk than then rest of the vulnerabilities. When you find deep the issue related to the APIs Call you to find them while using the mobile app you were utilizing primary authentication to retrieve any data of transactions.

It the more important that all calls get encrypted that helps every user to have their present credential which is fully based on the basic authentication format that is also encrypted with the alogo.

If you find any suggestions for us. Please! Let me know @contact

The post Hacker access over 3.8 crore accounts of Digi locker appeared first on Vednam.

From the report, the Researcher warns about the feature called “click to chat” options which users mainly use in their mobile phone number at risk- Google is allowed to index all the number of everyone who is using this application and anyone can find you on google search after that.

Form the Facebook or as you call whats owner “There is no big deal and that the search results which only reveal what the user wants to share publicly”

A Bug-bounty Hunter “ They discovered the issue which basically said the phone number is leaked and that may put the user security and privacy at risk”

“Click to chat” Offers the website an easy way to initiate a whats app chat session without the website visitor. It works through QR(Quick Response ) code image and that was created by the third-party services and the site owner uses their mobile phone number. The QR code helps visitors to scan the code and directly start the whats app chat session-visitors don’t need the dialed number itself. The Visitor can start access to the phone number once the session starts.

The only issues do not end here. Jayaram mentioned that” The Click to chat metadata has been indexed by the google search engines index and the mobile number comes in Google search results. The phone number which is revealed because of the URL string  (https://wa.me/<phone_number>) and after the “leaks” the mobile phone number of WhatsApp users in the plaintext according to me”.

The “wa.me” is owned and maintained by WhatsApp that was mentioned in WHOIS records.

Your mobile number is visible in plaintext in the URL which anyone who gets hold of the URL can know your mobile number. You cannot revoke it.

He mentioned that it was easier for the spammers to compile legitimate phone numbers to mount campaigns that are specially crafted which have search strings of the domain http://wa.me/ around the Google indexed 300,000 WhatsApp phone numbers.

“ As individual phone number is leaked which can attack by the message and call and sell the phone number to marketers, Spammers which can use scammers,” he said

Google Search only revealed the phone number and not the identifies of users that they connected.

The researcher mentioned that ”they are able to  to see the user’s profile picture on what’s app along with their phone numbers”

A hacker could reverse image search the user’s profile picture in hopes of collecting enough clues to establish the user’s identity.

Click to chat is used for the WhatsApp user to chat with any user without saving the contact on their phone.

The post Whats app Phone Number Exposed on Google Search result-How ? appeared first on Vednam.

The hacker mentioned the name “john wick” who had hands in breaching the ZEE5 systems and downloaded 150GB of live data and also stole the source code of the Website.

Mainstream Story

According to the report which is circulated on the internet”the hacker who breached the data has a connection from the Korean hacking group which executed this plan successfully and sold all the data on the hackers’ forums”.

Hackers group shared some of the proof that they have access to the ZEE5’s Private code which are confirmed by the monitoring team and it was said that the access proof is correct the hack happened between the end of February or March.

Few Days after the hackers shared the other sample which is a very serious concern because this sample has the live code secret keys and credentials of the unsecured AWS.

The last breach was also detected on the 24th April 2020 and clearly indicated that the hacker has access to recently subscribed users and the database which contains user details among every state of India.

The database breach which we are talking about has the records of the “Payment Platform”.This is really becoming a big deal for the company that the user data with payment details that mainly harms the users who are connected with the ZEE5.

According to Ralph Wagner “We don’t manage the Zee5 Database and nor the Mysql database which are mentioned. I will investigate the whole breach and then we will share the proper details’

The leaked data includes which such information like :

1. Email Address
2. Mobile Numbers
3. Recent transaction 
4. Passwords

An Email sent to the different news agency which mentions “will expose your database & code in public for the open sale soon”

The Email address si sends from a secure and encrypted email service which cannot be able to trace the email. The mail send from the hacker through “hckindi@tutanota.com “

This email server is used in different campaigns like Dharma ransomware and the same email address which is seen used by the Korean hacker.

This is not the first time this hacking happens with the ZEE5. This all breach happens and the company says or takes any action on the breach.

If you like the Content comment and share it with others. Thank you for reading the article.

The post Zee5 Hacked-150GB Data leaked from Video On demand Platform appeared first on Vednam.

According to the latest update the new arrival of the most demandable and real end-to-end encryption feature which apparently published because that was only available for the paid user. The main information of the critical vulnerabilities discovered latest.

The researcher from Cisco has mentioned in his comment that it was discovered the two vulnerabilities in the Zoom video conferencing software that could have allowed cyber attackers to compromise the machine of the group user chat or any individual recipient remotely.

Both the mistakes have made a path for the attacker to be vulnerable and can be exploited to write arbitrary files on the run=ing machine and vulnerable to any version of the Zoom Video conferencing software and also execute the malicious code.

According to the researcher, it was found that the successful exploitation of both the issues required little interaction form the participant user and execute the malicious code by some specially crafted message through the chat systems to an individual or a group.

The Previous vulnerabilities (CVE-2020-6109) also resided in the way Zoom leverages GIPHY services which were recently bought by Facebook,  let the users search and exchange animated GIFs while chatting.

The team who is in finding the source of hacking the machine, they found that the Zoom application did not check whether the shared GIF is loading from Giphy Services or from another source. The attacker embedded the GIFs from the third party attackers-controller server which zoom by the design cache/store on the recipient’s system in the specific folder which is associated with the application.

The application did not have filenames checking facilities that could allow the hackers to achieve the directory and trick the application into saving malicious files which are in the form of GIFs and sent to any location of the victim’s system.

The second remote code was used for the execution of malicious machines residing in the vulnerable version of the zoom application and process code of the snippets which are shared through the chat.

The researcher also said that the Zoom’s Video conferencing application chat process uses the XMPP standard with an additional extension to help and give a good user-friendly experience. In between, one of the extensions supports the feature of including source code snippets which have the syntax highlighting support. This feature sends the code snippets required by the installation of an additional plugin but receiving them does not.

The above feature used to create a zip of the shared code snippet before sending and that automatically unzips it with the recipient’s system.

From the source, it was mentioned that the Zoom Zip file extraction feature has never validated the content of the Zip file before the extraction process and allows the attacker to malicious code of the target computer.

Last Month Zoom patched both the code vulnerabilities and released version 4.6.12 the previous version 4.6.10 contained the vulnerabilities and now the video conferencing software is safe for windows, Mac OS, and Linux. 

If you feel anything about the comment. Please! Drop your comments below.

The post Zoom Chat let the hacker’s victimize the user appeared first on Vednam.