Adobe has recently rebutted the claims of a security researcher, according to whom a design flaw in the way Flash Player executes SWF files can put websites accepting user uploads at risk. The professional now says the company totally missed the point and that its expectations of webmasters to address this are completely unrealistic. Almost two weeks ago, we reported about the security risks of misconfigured crossdomain.xml files. These files contain rules for Flash's cross-domain access policy. However, more recently, a security researcher named Mike Bailey has exposed an ever more dangerous issue with Flash's same origin policy... [read more >>] A former antivirus analyst ostracized by the AV community for unethical behavior is accusing Kaspersky Lab of injecting malicious code into his newly launched website. Researchers with the Russian antivirus vendor portray the former white hat as a cyber-criminal associated with the Sinowal gang.Peter Kleissner is an 18-year-old hacker living in Vienna, Austria. He made a name for himself partially due to a research paper regarding master boot record (MBR) rootkits, which he presented at the 2009 Black Hat security conference. MBR rootkits consist of malicious code that is able to execute before the operating system and reinfect it on every ... [read more >>] A Web security researcher has disclosed cross-site scripting weaknesses in the two most popular Facebook applications. He claims to have found similar flaws affecting other apps as well, including an SQL injection vulnerability in a Facebook-verified one.The self-confessed white hat hacker goes by the online handle of "theharmonyguy" and focuses on social networking application security research. According to his own account, during the month of September, he will be disclosing vulnerabilities in top Facebook applications, following the model of Aviv Raff's "Month of Twitter Bugs" initiative.During August, reputed security researcher A... [read more >>] Two Japanese researchers have devised a new practical attack against the WPA/TKIP encryption system still used in many Wi-Fi environments. The method is based on a mainly theoretical attack presented last year, but it was extended to all WPA implementations and can succeed in about one minute.The Wi-Fi Protected Access (WPA) certification employs the Temporal Key Integrity (TKIP) protocol to secure wireless LAN communications. It has been designed as a temporary replacement for the now deprecated and highly insecure Wired Equivalent Privacy (WEP) protocol, while accommodating older hardware. Both WPA/TKIP and WEP make use of the RC4 stream ... [read more >>] A blogger trying to bypass Twitter's new nofollow policy for oauth client application links stumbled upon a massive persistent cross-site scripting (XSS) vulnerability, which allowed him to insert potentially malicious JavaScript code into a tweet. The vulnerability could have been leveraged to steal session cookies, create a Twitter worm or infect visitors with malware.Earlier this month, search engine optimization gurus revealed a black hat SEO technique that was being used to increase a website's page rank by receiving "link juice" from Twitter. Most of the links pointing out of Twitter have the rel="nofollow" parameter, which ... [read more >>] A greyhat hacker has discovered a critical SQL injection vulnerability in Yahoo! Local Neighbors discussion board website. The flaw can be used to read information about administrative and user accounts or upload a shell on the server.Neighbors is a Yahoo! Local feature launched at the end of 2007 with the purpose of providing a place for people to exchange information about events happening in their local communities and other useful info. Yahoo! describes the site as a "practical discussion board for any topic - from neighborhood safety to contractor recommendations."The hacker who discovered the vulnerability goes by the online nickname ... [read more >>] Robert Graham, expert at Erata Security, the person who was first to find the vulnerability behind the UN website attack in 2007, reported on his blog that United Nations security admins failed to fix the problem. The UN website is still as vulnerable as it was two years ago to massive SQL injection as it can be seen from the attached screenshot. In August 2007, three hackers defaced the United Nations website, while replacing the Secretary-General Ban Ki-Mon's speech with their own pacifist statement. They were able to do this with a simple SQL injection technique, as Mr. Graham later proved that parameters could be added to the ASP... [read more >>] The websites and servers of reputed security experts and popular online hacking communities have been compromised by a group called ZF0 (Zero for 0wned), which released a big text file containing a wealth of info extracted during the hacks. According to its manifesto, ZF0 opposes full-disclosure practices and thinks that the security industry is failing. The file left behind by the black hats, called ZF05.txt, which is supposed to signify issue five of the Zero for 0wned zine (magazine), contains attack logs sprinkled with the hackers' comments, as well as personal emails, chats and other data belonging to those compromised. The hack... [read more >>] A hacker claims to have compromised the personal email accounts of several Twitter employees including that of Twitter Co-Founder Evan Williams. As a result, he also obtained access to one employee's Google Apps account, from where he downloaded confidential company documents that were recently leaked to the media. The story was broken out yesterday by TechCrunch, which received, from a person identifying himself as "Hacker Croll," 310 Twitter corporate documents "ranging from executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees." The docu... [read more >>] Update: The message announcing Milw0rm's shutdown has been removed from the website. Submissions seem to have also been reopened. It is not yet clear if str0ke decided to continue alone, if he got assistance with reviewing exploits or if someone else took over the maintenance tasks entirely.One of the major sources of proof of concept (PoC) exploits on the Internet, milw0rm.com, will be closing down. The website's maintainer, str0ke, announces that he can't commit anymore to reviewing exploits submitted by third-parties, in a timely manner. While this is sad news for people familiar with the exploit release scene, as well as... [read more >>] | 
RSS
