Hacking an eBay Account in just 1 minute

Source: http://thehackernews.com

Four month ago, a massive data breach on the eBay website affected 145 million registered users worldwide after its database was compromised. Meanwhile, another critical vulnerability on the eBay website was reported, allowing an attacker to hijack millions of user accounts in bulk.
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirmed – IT WORKS.
Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it. So, Here we go!
The vulnerability Yasser found could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.
eBay Hacked


Basically to recover the forgotten password, user is first redirected to a password reset page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.


After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.
Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown:
eBay Hacked 2

As Proof-of-Concept, the researcher targeted one of our team members’ temporary account with email address info@thehackernews.com. First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element.

Then he directly crafted a new HTTP request to the eBay server at password reset form action with the known “reqinput” value, new password, confirm password and password strength parameters.
BANG!! He successfully able to reset our eBay account password without our team member’s interaction within a while.
A sophisticated hacker could had launched an automated mass password reset request attack for all those email accounts which were leaked in previously reported massive eBay data breach.
The company has already patched the vulnerability after Yasser responsibly disclosed the flaw to the eBay security team. But, this 4 months delay in delivering the patch could have compromised millions of eBay users’ accounts in a targeted attack, even if you had changed your password after the data breach.


About 5 million Gmail IDs and passwords leaked

Source: http://www.ehackingnews.com

Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google’s response
“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.” Google wrote.

What You should do?

  • There are few websites available online to check whether your gmail ID have been compromised or not.  My suggestion is don’t use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it’s better to change now).
  • If you have not enabled 2-step-factor feature, it is good to enable it.
  • Never use the gmail password in any other websites.



Top six steps for a secure Web server

Source: www.techtarget.com

Ensuring Web server security is one of the most thankless tasks facing information security pros. You need to balance the conflicting roles of allowing the public legitimate access to Web resources while trying to keep the bad guys out. You might even consider implementing two-factor authentication, such as RSA SecurID to obtain a high degree of confidence in your authentication system, but it wouldn’t be practical, or cost-effective to distribute tokens to all of your Web site users. Despite such conflicting goals, here are six tactics that can help lock down your Web servers.

  • Use separate servers for internal and external applications.
    Given that organizations typically have two, separate classes of Web applications, those serving internal users and those serving external users, it’s prudent to place those applications on different servers. Doing so reduces the risk of a malicious user penetrating the external server to gain access to sensitive internal information. If you don’t have the resources to implement this at your disposal, you should at least consider using technical controls (such as process isolation) to keep internal and external applications from interacting with each other.
  • Use a separate development server for testing and debugging apps.
    Testing applications on a stand-alone Web server sounds like common sense — and it is! Unfortunately, many organizations don’t follow this basic principle and, instead, allow developers to “tweak” code or even develop new applications on a production server. This is a horrible idea for both reliability and security reasons. Testing code on production systems could cause users to experience malfunctions (possibly, a complete outage) and could also introduce security vulnerabilities as developers post untested code that might be vulnerable to attack. Most modern version control systems (such as Microsoft’s Visual SourceSafe) can help automate the coding/testing/debugging process.
  • Audit Web site activity and store logs in a secure location.
    Every security professional knows the importance of maintaining server activity logs. Since most Web servers are public facing it’s critical that you perform this task for all Internet-based services. These audit trails will help you detect and react to attacks, and will enable you to troubleshoot server performance issues. In high-security environments, make sure that your logs are stored in a physically secure location — the safest (but least convenient) technique is to have a line printer print the trail as it gets logged, thereby creating a permanent paper record that can’t be modified by an intruder who doesn’t have physical access to the premises. You may also want to consider the use of electronic equivalents, such as logging to a secure host that implements encryption with digital signatures to prevent against log snooping and modification.
  • Educate developers on sound security coding practices.
    Software developers, focused on creating apps that meet business requirements, often overlook the fact that information security is a critical business requirement. As a security pro, it’s your role to educate developers on the security issues that affect Web servers. You should make developers aware of the security mechanisms in place on your network to ensure that the software they create doesn’t circumvent those mechanisms; also offer training on concepts such as buffer overflow attacks and process isolation — all of which will go a long way towards ensuring sound coding practices that result in secure applications.
  • Keep your operating system and Web server patched.
    This is another “common sense” item that often slips through the cracks when administrators become overburdened with other tasks. Security bulletins, such as those issued by CERT or Microsoft, are a constant reminder of how often software vendors release patches for specific security vulnerabilities. It’s critical to keep your Web servers patched with current security fixes. Tools like Microsoft’s Software Update Service (SUS) and RedHat’s up2date service can help to automate this task. After all, once a flaw is published, if you don’t fix it, someone will eventually find it and exploit it.
  • Use application scanners.
    If affordable, you might want to consider the use of an application scanner to validate internally developed code. Tools like Watchfire’s AppScan can help ensure that exploitable code doesn’t slip through the cracks and into a production environment.

Remember, security is a state of mind! Well-designed Web server architecture should be based on sound security principles. Implementing these six measures will help you build a strong foundation.

Apple CEO says iCloud security will be strengthened

Source: www.infoworld.com

Apple, still reeling from the nude celebrity photo incident, plans to soon strengthen security around its iCloud storage service, according to CEO Tim Cook in a news report Thursday.

The change consists primarily of new warnings when certain changes are made to an account, as well as implementation of two-factor authentication on iCloud accounts, Cook told The Wall Street Journal.

[ It’s time to rethink security. Two former CIOs show you how to rethink your security strategy for today’s world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

iCloud accounts for more than a dozen celebrities were compromised by hackers who obtained their login credentials, possibly by guessing security questions or using password-breaking tools. The subsequent release of nude photos put Apple on the defense, with the company maintaining that its systems were not breached.

Cook told the newspaper that Apple will begin sending email and push notifications within two weeks to users when a new device is used to restore or log into an iCloud account or an account’s password is changed.

With iCloud credentials, it is possible to download the entire contents of an account to a new device, including photographs, text messages, call logs, address books, calendars and other information depending on what a person has chosen to store on iCloud.

For iTunes, Apple has had a two-factor authentication feature, which involves entering a separate code to access an account. But that isn’t offered for iCloud, an apparent oversight.

“Signing into iCloud in order to access say, your backed up photos, does not require two-factor authentication,” wrote Marc Rogers, a principal security researcher with Lookout Mobile Security, in a blog post Wednesday. Besides, enabling Apple’s existing two-factor authentication would not have helped anyone involved in the latest leak, he added.

The next version of Apple’s mobile operating system, iOS, will have an option to use two-factor authentication for iCloud accounts, The Wall Street Journal reported.

Apple has maintained that the way its two-factor authentication mechanism is set up would have nonetheless still protected the accounts if it had been enabled by the victims.

If it was on, the hackers wouldn’t have been able to see the security questions used to verify someone’s account in case of a lost password. With two-factor authentication off, the hackers could guess the security questions and gain access.

But it has also been theorized that attackers used a password-guessing tool against Apple’s Find My Phone service. Apple didn’t acknowledge a security issue with Find My Phone, but a brute-force script posted on GitHub had a note indicating that an API for the service allowed unlimited guesses of passwords. The API problem was later fixed, it said.

In that scenario, two-factor authentication wouldn’t have mattered. The tool, called iBrute, might find the correct password, making it unnecessary for a hacker to get access to the security questions.

It is also possible the celebrities were victims of phishing attacks, where hackers try to trick people into revealing their credentials by sending them a link to a look-a-like but fraudulent Web service.