Category: Application Security

Anonymous Defaces NASA Web Site, Sort Of

Anonymous Defaces NASA Web Site, Sort Of

Reports are emerging that members of the hacker, or something because they don’t want to be called that anymore (from the IRC: To the idiot reporters: we’re not hackers), collective Anonymous defaced NASA in support of Wikileaks.

Paypal Sender Country XSS

Paypal Sender Country XSS

A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm.

F-Secure XSS on Anti-Theft Website

F-Secure XSS on Anti-Theft Website

In a new section supporting the release of an anti-theft product for mobile phones, the web site of Helsinki based anti-virus company F-Secure is vulnerable to cross site scripting (XSS).

Newsweek Reports Zombie Invasion

Newsweek Reports Zombie Invasion

Newsweek.com becomes the latest in a long list of sites that will reveal an Easter egg if you enter the Konami Code (↑, ↑, ↓, ↓, ←, →, ←, →, B, A, enter) correctly.

Screenshot - BP Research

Going After BP

BP continues to be the subject of criticism following the Deepwater Horizon oil spill, and the hacking community appears to be taking exception to some of BP’s recent public relations activities in the online arena.

Formspring.me XSS Vulnerability

Formspring.me XSS Vulnerability

Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them.

XSS Flaw on PayPal.com

XSS Flaw on PayPal.com

Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.

Bad Password Management Will Stop You in Your Tracks

Bad Password Management Will Stop You in Your Tracks

Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work.

Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night.

Congressional Web Site Defacements Follow the State of the Union

Congressional Web Site Defacements Follow the State of the Union

Shortly after President Obama’s State of the Union address, constituents visiting the web sites of Congressional representatives like Charles Gonzalez (20th District of Texas), Spencer Bachus (Alabama’s 8th District), and Brian Baird (Washington’s 3rd District) were presented with a defacement message from the Red Eye Crew that as of 4:10 am EST remains up on their web sites. All of the sites affected are in the house.gov domain, but not every congressional site in the domain is defaced.

Umm…TechCrunch? Defacement Two in 24 Hours

Umm…TechCrunch? Defacement Two in 24 Hours

Less than 24 hours from the last web site defacement, TechCrunch has been defaced again early this morning by the same cracker(s) responsible for yesterday’s attack. Whatever preventative measures were taken yesterday (WordPress upgrade, HTTP authentication for wp-admin) have not blocked the attacker’s access to modify TechCrunch’s content, as this morning the attacker left a profane message on top of the homepage for Michael Arrington as well as a few media outlets like Yahoo and the BBC. At this point TechCrunch should perhaps be ensuring that there is no uploaded shell on the server the site is hosted on.

Page 1 of 212