Month: September 2012

iOS6 HTTP POST Blunder

Posted on Updated on

It usually is quite amazing when someone upgrades their iPhone to a new OS and suddenly things stop working. By "things" I mean web-applications and by "not working" I mean they literally stop working.

This affected me and my work. Suddenly people who visit one of my web-applications cannot use it properly. They seemed to only be able to send HTTP POSTs but not receive. Weird, then we see the issue completely exploded on stackoverflow which is a good thing because it means it’s not you that fu**ed up this time ๐Ÿ™‚ it’s an SEP.
Read the rest of this entry »

Trick Samsung Device to Hard Reset

Posted on Updated on

There seems to be a vulnerability in TouchWiz, Samsung’s touch interface. It appears that the "tel" type in the "<a>" tag will not prompt you for confirmation if the number being dialed is a system command.

For instance, because we love humor and the misfortune of others, we have this HTML page:

<html>
   <head></head>
   <body>
      <a href='tel:*2767*3855%23'>Click here for customer support</a>
   </body>
</html>

When our dear friend on their Samsung device clicks the link, they will hard-reset their phone with no confirmation. It seems that it will only prompt you if the number is one that will cost you $$$ for making a call.

WARNING – Feeling adventurous and want to try it out on your self? Do it at your own risk, it will erase all data on your phone and revert it to factory settings.

Some crazy iPhone fanboi is offering up the link for all to click on ๐Ÿ™‚

***** UPDATE *****
The H-Online reported that there is a new app on the Google Play that will intercept and prevent hard-resets from the above exploit. The app is called NoTelUrl developed by Jรถrg Voss.

Spam, The New Cryptography

Posted on Updated on

Recently I stumbled upon a very interesting website called SpamMimic, they have created a service that takes free form text as input (this would be your secret message) and encode it into a message that looks like spam. Then the recipient who receives this "spam" will decode it back into the original secret message.

This is very interesting and I predict that it will be the best way to encode private messages in the future. There is already an influx of spam on the internet so a lot of these messages will be ignored. But wait, what if spam messages are deleted? Well this is when the actual algorithm to encode and decode text to spam should be improved and really make it look like some boring blah blah conversation that you actually would do.

The folks at SpamMimic keep a database of spam message to use for the encoding. So if the algorithm is done in such a way that instead of using a DB of spam messages it uses a DB of your personal email archive. So the encoded output will really look like it had originated from you. So anyone who intercepts the message will not think "oh suddenly these 2 people are exchanging spam, looks suspicious"
Read the rest of this entry »

WhatsHacked, WhatsCracked, WhatsSucks? WhatsApp

Posted on Updated on

Unbelievable update here for WhatsApp. Our good friends at H-Online have uncovered the complete insecurity of WhatsApp (or as they claim "Almost Completely")

Blog posts by fileperms and Geeknizer have just about ripped WhatsApp to pieces and demonstrated that once an account is hijacked you basically have lost control of your WhatsApp account. Even suggests to switch to a different device!

This WhatsApp issue has been causing a cluster of blog posts all reporting the same issue and linking to each other ๐Ÿ™‚ Nice. So for more details check the hyperlinks above and our own!

**** UPDATE ****
On September 20th, 2012 WhatsApp has issued an update (at least on Android) and no mention that they fixed or mitigated the security vulnerabilities. They just state "many many bug fixes and improvements" which could mean anything. Awaiting the hackers to reverse engineer the new update to see what has been done.

**** UPDATE ****
H-Online reports that WhatsApp is still broken and a security risk to all. They suggest un-installing it to be safe. WhatsApp has folded their genitalia neatly and tidied their testicles in the closet and began threatening lawsuits against developers of WhatsAPP APIs such as WhatsAPI. Suing developers of opensource APIs will not make WhatsApp more secure. A hack is a hack and someone will take advantage of it to screw you out of your privacy because all WhatsApp can do is sue someone else who made an API to access the service.

I say again, WhatSucks? WhatsApp.

Useful Linux Commands To Benefit All

Posted on

As a true GNU/Linux user I always hear things from other users beside me. Well yes, aside from the usual swearing and cursing the day the mother-board was created. I am talking about other things I hear. For example the following:

  • Repeated key strokes of “UP + ENTER”
  • Moans of "Maximum allowed open files, wtf is that? I’m confused"
  • Subtle murmuring of "Why is this always showing only in IPv6?"

It’s these things that I hear and it’s the part that no one (at least the primates I encounter in the jungle) do not have the intellectual curiosity to research if there is a better way to perform that task. So just to help a little I am going to publish my small list of most useful GNU/Linux commands to help all primates, apes and monkeys alike (I consider my self a gorilla… I have seen some yetis but they seem to know Linux and use weird things like Slackware and DSL)

Find the number of open files for a given process.
ls -al /proc/fd | wc -l

Find the number of open sockets for a given process in-case the above was under the limit.
ls -al /proc/fd | grep socket | wc -l

Increase the limit of number of open files per process, here we use 2048. Damn why would a process open 2048 files at a time? Feels like a leak….
ulimit -n 2048

Amazing magic with the watch command. Monitor a command and set an interval in second. The below command executes ls -l every 1 seconds to monitor any file changes in the directory. (wow my hand doesn’t hurt anymore)
watch -n 1 'ls -l'

View all network connections on IPv6 and IPv4, or just remove -i6 to just see IPv4.
lsof -Pnl +M -i6 -i4

Show all folders in a directory and how much space they take up and display their sizes in bytes and sort by size
du -s * | sort -g

Be a complete jerk and get the CPU usage to 100% at constant rate! ๐Ÿ™‚
ping -l 10000 -s 10 -q -f localhost

Please remember to look at the MAN pages for these commands to further customize them to your needs.

WhatsApp is WhatSucks

Posted on Updated on

One of the most popular cross-platform mobile application used as a replacement for messaging and sharing multimedia is under scrutiny of being insecure. Yes, we are talking about none other than WhatsApp. Now we have seen previous instances of idiocy here but the victims there are mostly financial institutions and their reputation, which not a lot of people really care about.

It has been reported by Sam Granger that WhatsApp on Android uses your phone IMEI to generate its passwords:

md5(strrev(โ€˜your-imei-goes-hereโ€™))

Then a little later it seems WhatsApp did something about it! By reading the comments section of Sam Granger’s blog it seems it no longer works. Yeah… WhatsApp actually did something about it! Great… but hold your excitement it seems that everything is not what it seems.

Recently reported by Ezio Amodio that WhatsApp on iOS is back up to their old password trickery again. This time they are using the iPhone’s MAC address to generate the password like so:

md5(AA:BB:CC:DD:EE:FFAA:BB:CC:DD:EE:FF)

Our dear friends at H-Online have verified the blog post and well just being on H-Online is something important.

So what sucks about WhatsApp ? Their security, your privacy and their embarrassment.

UPDATE
Commenter posted a link to pastebin with the most curious title Reverse Engineering: How WhatsApp (not) Securing Your Data It’s a great read and there are George Carlin references too! Can’t get better than that, cryptography, sarcasm, George Carlin and nifty rev-engineering.

Bypass Qualys and Acunetix Using GWT

Posted on Updated on

We all heard about vulnerability scanners such as Qualys and Acunetix and how they’re at the forefront of security! Right until they hit a website created using the Google Web Toolkit otherwise known as GWT.

Trying to scan a web application created using GWT with Qualys or Acunetix results in utter failure. With all the propaganda being spewed out by those companies on how advanced they are, they cannot even properly scan a GWT web app. It’s not like GWT is something special, it’s just JavaScript, Ajax, HTML5 and CSS all smashed together.

People have even raised the issue that GWT built apps are not supported by Acunetix as is shown in this issue. Poor thing has no replies and is date from last year. Yes, this is how much Acunetix cares.

Qualys has no mention on GWT support, but I can assure all that they do not have any support. Mainly because I developed a large GWT web app and we tried scanning it with Qualys and it fails numerous times. It cannot even get past the log in page. Issues were raised like months ago and it seems they’re struggling.

Why is this bad?

Well according to InfoSecurity Magazine most open-source frameworks have security vulnerabilities. Most get used in mission critical applications and the user or company may not know that vulnerabilities exists nor if new versions were released that fixed those. This being said, according to InfoSecurity Magazine Google Web Toolkit was downloaded 17.7 million times with known vulnerabilities and this was dated in April 2012. So that means GWT version 2.4.0 has the vulnerabilities and maybe people should read the changelog of release candidate 2.5.0.