Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day. After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks. I went throught the affected devices list… Continue reading Popular wireless Logitech mouse vulnerable to keystroke injection

OLX and Adobe full-disclosures on HackerOne

OLX Stored XSS https://hackerone.com/reports/152069 Adobe Reflected XSS https://hackerone.com/reports/50389 I asked for full-disclosure of this reports so other users can learn something from it. The OLX security report was also mentioned on a portuguese media site- Future Behind. If you know portuguese language feel free to read it.

Hey vendors, researchers are here to help

Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue. In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you… Continue reading Hey vendors, researchers are here to help

Google Finance Reflected File Download

Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download. The request for this Google JSON file already do this for us. When I noticed this request: [code lang=”html”]http://www.google.com/finance/info?q=ELI:ALTR&callback=?[/code] Which returned the following information: [code lang=”html”] // [ { "id": "703655" ,"t" : "ALTR" ,"e"… Continue reading Google Finance Reflected File Download

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention: [code lang=”html”]http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499[/code] On which reflected on the screen: [code lang=”html”]jQuery111207287312552798539_1444907172498();[/code] As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector… Continue reading Bing Reflected File Download

Wikiloc XXE vulnerability

For those who still don’t know Wikiloc: Wikiloc is a place to discover and share the best outdoor trails for hiking, cycling and many other activities. We are 1,725,606 members exploring and sharing 3,936,841 outdoor trails and 6,503,289 photos. I was searching for a cool track to ride my bike [yes I love #cycling] and… Continue reading Wikiloc XXE vulnerability

MailChimp Reflected File Download

When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by using HTML5 download attribute. Let’s take a look into the original GET request: [code language=”html”]http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=?[/code] This request is part of the subscription to a email campaign at MailChimp. Checking the… Continue reading MailChimp Reflected File Download

Multiple vulns on mTouch Quiz WordPress plugin

Plugin link: https://wordpress.org/plugins/mtouch-quiz/ Active Installs: 5,000+ Version tested: 3.1.2 CVE Reference: Waiting mTouch Quiz lets you add quizzes to your site. This plugin was designed with learning, touch friendliness and versatility in mind. I found multiple vulnerabilities on WordPress plugin – mTouch Quiz <= 3.1.2. #1 Reflected XSS on Quiz Manage “quiz” parameter wasn’t properly… Continue reading Multiple vulns on mTouch Quiz WordPress plugin