Google Malaysia Got Hacked

2626040_orig

The hack replaced the site’s home page with a splash screen giving the Pakistani group credit, before it was taken completely offline.
The hackers apparently gained access to the Malaysia Network Information Center and changed the DNS records of Google’s site to Madleets-controlled servers, TechCrunch reported.
MYNIC is the sole administrator for web addresses that end with .my in Malaysia.
Google was back online in Malaysia Friday morning.
A statement on the Team Madleets’ Facebook page claiming responsibility for the hack suggested the attack was random.

 Source : Prabhanair.com

Advertisements

Discovered 2 new Facebook vulnerabilities

facebook_logo_fan_pages_large-12

The Security researcher Dan Melamed has found two new Facebook vulnerabilities.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

  1. A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
  2. A Cross Site Request Forgery (CSRF) flaw
It is explianed by Dan that a spammer can design a bot to collect FB ID and spam the friend invites to like his fan page, interestingly CSRF allows the spammer to sent the invites on other user behalf.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrftokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:
Facebook Vulnerabilities POC
Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.

Lead Auditor & InfoSec Professional