Showing posts from September, 2018

Sensitive Data Exposure or Password Disclosure in H1C Private site

Hello Friends, Recently, I found a critical bug in private site which discloses all sensitive data or information of users. The bug exist in forgot password page. I just enter my email in forgot password page and try to reset the password and the site discloses all information of my account in response.While resetting, I just Intercept the request through Burp and send to repeater and change my email to any registered user email and click on 'Go'. In response, site discloses user sensitive information like phone number etc. along with a password in Sha256 hash. After decrypting the hash, hacker gets the password. Also, we don't need to decrypt the password hash we can directly use password hash by modifying the requests.    Conclusion: Always check forgot password page or forgot password functionality for vulnerabilities. You'll get the idea.   Thanks for reading.

Stored XSS Vulnerability in H1C Private site

Hello Friends, Recently, I found an interesting stored XSS vulnerability in private site.  It was not easy, means difficult to exploit. The private site has a feature which allows users to create or start email campaign for email marketing. After login to the website account, I just started email campaign and send an email from my website account to my personal email address. Next, I received that email(send via campaign) to my personal email, I just reply to that email. The reply was received in my account inbox of that website. So, I try to reply or send an email with html tag like Hello <b>Hack</b> but I received the same reply Hello<b>Hack</b> in inbox of that website account. Next, I understand that we can't send HTML scripts from Gmail, Yahoo mail etc. So, I just copy that 'reply email' and visit fake email sender and send an email in HTML and I received that message in inbox of website account and the HTML scripts got ex

Hack Facebook Users Account through Tabnapping

Tabnapping is an interesting, tricky, clever, and smart hacking technique for phishing and scamming.   Through this, attackers take advantage and control a victim’s unattended browser tabs by hijacking and redirecting him to malicious URLs where they can perform a phishing attack and execute scripts. Example: You are already logged in to your Facebook account and suddenly you see an interesting post with a web link. After clicking on the link, a new tab opens. Now, you are visiting an interesting post link on the new tab and unknowingly your previous tab will change to a fake Facebook login page. When you go back to the previous tab, u'll see u need to log in to Facebook, when you login, your information will be sent to the attacker and you successfully loggedin to Facebook because you never logged out. PoC Video Coming soon! For more info visit this Always check the 'URL

Password Spraying on Facebook Users without Email

Hello Friends, I found that it's possible to perform password spraying attack on Fb users without email etc.  Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. Recently, I found that it's possible to login to Facebook account without email. We just need to enter the password. So, This behavior allows to perform Password spraying attack on FB users without Email. Proof of Concepts:  First of all, visit this URL

Risk Inside Facebook Apps - Hack Facebook Users Accounts through Facebook Apps

Facebook have a lot of security increasing daily. Now, Its very difficult to hack Fb users account but not impossible. It's still possible to Hack Fb users account through facebook apps. By default, Facebook allows applications running within canvas pages to include iframes and redirect off site.  So, Hacker can embed any malicious site in his application and also may run scripts in victim's browser.  Hacker can embed phishing link or fake login page and may ask user login credentials means email and password. Victim visits the application and thought that he is giving login details to Facebook or Facebook requires re-authentication and enter his email and password. But he don't know that he is giving login details to hackers, not to Facebook . Facebook closely monitor apps for malicious behavior and blocks malicious apps but its still possible by making or hijacking vulnerable app.  So, never enter your login details in fa

Risk Inside - Shorten External URLs with

Image is a Facebook URL shortener that shortens only Facebook URLs but I found that it's possible to shorten external links with Demo :   Proof of Concepts: First connect your Twitter account with Facebook. Next, if you update any status on FB, a tweet is created on your Twitter with a link  For Example: , if u follow the link it will redirects you to facebook url which is OK. If u enter the link in FB status and update the status, a tweet is created without any link OK Now enter this link in browser and Post or update your status.  Now go to twitter, you can see a tweet with a link " " Now visit this link, redirects to instead of

Risk Inside Facebook Linkshim - Bypassing Facebook Linkshim Filters

Linkshim is a tool created by Facebook's Site Integrity Team to protect its users. ... When a link is clicked on Facebook, Link Shim checks the link to make sure it isn't on its list of malicious links or on any of its many external partners' (McAfee, Google, Websense) lists. Basically, a Linkshim is a Script created by Facebook to protect its users from malicious links. When FB redirects to other sites, the script (l.php) first checks the link then redirects and sometime block the malicious URLs. But, we can easily redirects malicious or blocked URLs from Facebook simply by shortening the URL or with another site redirect. Also, It's possible to redirect through IP address. We can redirect any malware site or blocked links from Facebook. If you try to redirect malware link through IP address, FB linkshim block this. OK But I believe that Facebook not handle this situation correctly. Facebook linkshim blocks only those IP address which redirects to dom

Stored XSS Vulnerability in Tumblr

Hello Friends, I started to participate in bug bounty in 2017 and found an XSS (Cross Site Scripting) vulnerability in Tumblr. PoC Video: I reported this to Tumblr. Next day, Tumblr quickly patched this and rewarded me.      I received my first bounty of $1000 from Tumblr. I also received Tumblr t-shirt and stickers as a Swag/Gift. I receive very good response from Tumblr Security Team.   Thanks Tumblr.

What is Tabnabbing and Tabnapping?

The term 'Tabnabbing' was coined in early 2010 by Aza Raskin, a security researcher and design expert. The word ‘Tab Napping’ comes from the combination of ‘tab’ and ‘kidnapping’ used by clever phishers, scammers, and hackers. Tabnabbing or Tabnapping is a same attack. It's is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. Basically, It is a type of phishing attack and the advanced or smart method of phishing and comes in the category of Unvalidated Redirects and Forwards.  Read More

Risk Inside Facebook and Twitter Best Practice - Lack of Password Confirmation

There are many websites including Facebook and Twitter that are missing best practices. Lack of Password confirmation allows intruders to easily takeover the users account completely. When any user wants to change the password, current password is asked for proceeding the request and for security purpose. This should also be implemented on other sensitive actions like email, phone no. and account deletion. If any unauthorized user or hacker access your account through anyway like session hijacking or by exploiting XSS or CSRF attack then he can easily change your password and takeover the account completely. So, the current password field is necessary because it prevents any unauthorized user from changing the email and password. Facebook prevents this by asking current password when changing email and password but it's still possible to change the password without knowing current password. It's very simple. Just add your mobile number then using 

What is User Enumeration? How to Enumerate Registered Users of any Website like Facebook and Twitter

An enumeration is a complete, ordered listing of all the items in a collection. The term is commonly used in mathematics and computer science to refer to a listing of all of the elements of a set.  Enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it. There are many types of enumeration. User Enumeration:  User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Enumeration is the process of identifying users accounts, usernames, emails and other resources. Basically, It is the process to gather information. How To Enumerate? The most common areas where us

Risk Inside Tesla Bruteforce Protection - Lock Tesla Users Accounts

 Hello Friends, Recently, I found a strange behaviour in Tesla site which is intentional but risky. Whenever I enter my email and try invalid passwords in login multiple times, tesla locked the account and say to reset the password.   Basically, When we enter wrong credentials many times on secure login, the account get locked temporary (for some time) for security purpose. But, Tesla lock the users account and say to reset the password. So, the risk exist.   Attacker may enter anyone or any tesla user email and try invalid passwords multiple times like 20 to 30. After multiple invalid attempts, tesla lock that user account.When the user try to login in his tesla account with valid credentials, tesla say to reset the password. Attacker can lock victim account by bruteforcing then victim need to reset the password to unlock the account. If victim have no access to the email connected to the tesla account than he can not recover the account. The risk can be increased  If

Risk Inside Blogger - Stealing Blog Posts of Blogger sites

Hello Everyone , I found a nice bug at Blogger which is not new but still vulnerable.We can steal posts from blogs or sites which are hosted on blogger by atom.xml. If we just visit the link in firefox or chrome it redirects to feeds/posts/default?alt=atom but if we open this link Edge browser, edge browser popups and give an option to save. Steps: First of all open Edge browser and visit this link or Change the results to 500 for more posts or Next Edge popups to save atom.xml file.Now click on Save.   Blog Atom.xml file will be downloaded.   Next Login to your blogge