Google Admin Console has a Security Flaw

Google Admin Console has a Security Flaw

Summary: Google Admin Console has a Security Flaw which can be used by attackers to claim domains and send out spoof emails.

As reported by Security Week, Patrik Fehrenbach and Behrouz Sadeghipour found a security flaw in Google Admin Console to gain temporary ownership of any domain. Google Admin Console is actually a web platform from where administrators manage their organization’s Google Apps account.

Researchers conducted some tests by claiming ytimg.com, which is used to host Youtube images and scripts, and gstatic.com, which is used by Google for loading content from its content delivery network (CDN). These two domain are owned by Google itself.

The researchers then used these domains to create users – admin@ytimg.com & admin@gstatic.com to send out mails.

The researchers explained in the blog post:

Last month, we were able to report a vulnerability to Google where we were able to email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.

So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter. Google patched this vulnerability by simply with applying a FROM no-reply@google.com

Google has addressed this vulnerability and the researchers have been awarded $500 for their efforts. Earlier too, other researchers identified even more serious vulnerabilities in the Google Apps Admin console. A researcher was reportedly awarded $5000 from Google after discovering Critical Cross-Site Scripting (XSS) vulnerability in the Admin Console in January.

Both Google & Apple are expected to release fixes for the FREAK Security Vulnerability, a legacy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security flaw which allows hackers to launch SSL Man-in-the-Middle (MITM) attacks.

Microsoft patches 15-year old Vulnerability – JASBUG

Microsoft patches 15-year old Vulnerability – JASBUG

Microsoft recently issued a basic patch to settle a 15-year-old defenselessness that could be abused by programmers to remotely seize clients’ PCs running all backed forms of Windows working framework.

The basic defenselessness — named “JASBUG” by the specialist who reported the imperfection — is because of a defect in the key configuration of Windows that took Microsoft more than 12 months to discharge a fix. In any case, the defect is still unpatched in Windows Server 2003, leaving the adaptation totally open to the programmers for the staying five months.

(more…)

Pakistan People’s Party Website Hacked

Pakistan People’s Party Website Hacked

Pakistan People's Party Website Hacked

Bilawal Bhutto Zardari, the only son of former Pakistani President Asif Ali Zardari and former Prime Minister Benazir Bhutto, made a statement sometime back regarding Kashmir that his party Pakistan People’s Party (PPP) would take back entire Kashmir from India. Indian politicians although, described his statement as “childish” and “irresponsible”.

(more…)

Microsoft will collect data using keylogger from Windows 10 Preview Users

Microsoft will collect data using keylogger from Windows 10 Preview Users

Microsoft will collect data using keylogger from Windows 10 Preview Users.

Microsoft announced its next release, Windows 10 which was previously codenamed Threshold on 30th September 2014. Windows 10 Technical Preview can be downloaded and used for free.

But, the download page clearly states that – “Microsoft will collect data about your installation and use of Windows Technical Preview to help us improve our products and services under About your Privacy section.

Microsoft’s Privacy Statement states –

(more…)

5 million Gmail user accounts with passwords leaked

5 million Gmail user accounts with passwords leaked

About 5 million Gmail user accounts with passwords leaked

Close to 4,930,000 Gmail user accounts with their passwords were leaked on Bitcoin Security Forum by a user name “tvskit“. As per the post, posted on 10th Sept 2014, there are 4,929,090 records on the text file attached and more than 60% of the records are valid.

The Gmail leak comes a day after the publication of the text file with login details of 4.66 million Mail.ru accounts and two days after the publication of the text file with usernames and passwords of about 1.26 million Yandex accounts on the same Bitcoin platform.

(more…)

Indian hacker Godzilla aka G.O.D takes down many Pakistani Government Website

Indian hacker Godzilla aka G.O.D takes down many Pakistani Government Website

Indian hacker Godzilla aka G.O.D takes down many Pakistani Government Website

Indian hacker Godzilla aka G.O.D hacked 43 major Pakistani Government Official websites including ‘President of Pakistan’, ‘Government of Pakistan’, ‘Ministry of Defence’, ‘Ministry of Kashmir Affairs and Gilgit Baltistan’ and websites of other ‘Ministry of Pakistan’.

As claimed by the hacker, he first hacked into one of the main proxy server of the Pakistan Government. This Proxy Server manages all other government websites and so once he hacked into this server, he was able to hack all government websites. These websites are still down, at the time of writing this post.

(more…)

Tails Operating System’s Website Hacked

Tails Operating System’s Website Hacked

Tails Operating System’s Website was hacked by some Hacker, who calls himself “Sum Guy”. The hacker somehow got access to the website’s admin area and changed the home page content with:

“You has been haxoredeszed by sum dumb 17 year old by accident…
“Sorry about that please forgive me! I accidentally logged myself in as someone important and changed the site, not knowing that what I was changing would save! So sorry about that… I hope you have a backup, Oh and btw I love your OS! Yours sincerely, Sum guy. And before I leave, Hi ed… and zoin.”

(more…)

Google Glass hacked by Dutch Hackers

Google Glass hacked by Dutch Hackers

Volkskrant, a Dutch website, has reported that Dutch Hackers have created a malware that can be used to hack into Google Glass. This Malware code can be injected into the Google Glass through a mini USB.

As per Volksrant, borrowing the Google Glass from the victim is very easy and once borrowed, the code can be injected through the mini usb, which can be inserted into the Google Glass USB Port.

Once hacked, hackers can then monitor everything the user does through a remote computer from a distance. Snaps can be taken and Videos can also be shoot without the knowledge of the victim. Victim’s confidential information like email ids and passwords can easily be hacked too after few minor modifications to the code.

(more…)