Monday, September 26, 2011

Facebook track your cookies even after logout !


According to Australian technologist Nik Cubrilovic: 'Logging out of Facebook is not enough.' He added, Even after you are logged out, Facebook is able to track your browser's page every time you visit a website. He wrote in his blog 'With my browser logged out of Facebook, whenever I visit any page with a Facebook like button, or share button, or any other widget, the information, including my account ID, is still being sent to Facebook.'

After explaining the cookies behavior he also suggested a way to fix the tracking problem: 'The only solution to Facebook not knowing who you are is to delete all Facebook cookies.'
Give firefox addon for auto delete FB cookies after logging out.

Read more

Tuesday, September 20, 2011

OS X Lion bugs let hackers view, change local user passwords


The latest version of OS X Lion allows any user to easily change the password of any local account, due to permissions oversights on Apple's part. The news comes less than a month after another Lion vulnerability that let users bypass LDAP without a password gained notoriety.

Originally reported by Defence in Depth blogger Patrick Dunstan, the root of the newly discovered problem in Mac OS X 10.7 is tied to the user-specific shadow files used in modern OS X platforms. These files are essentially hash databases and contain, among other things, the user's encrypted passwords. Ideally, they should be accessible only via high-privilege accounts.

According to Dunstan, Apple dropped the ball in terms of how Lion handles privilege. "Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data," Dunstan wrote. "This is accomplished by extracting the data straight from Directory Services."

Any user can accomplish this trick by simply invoking the directory services listing using the /Search/ path -- for example, $ dscl localhost -read /Search/Users/bob (where "bob" is the username). This causes Lion OS X to spew out the contents of Bob's shadow hash file, including data that can be used to crack Bob's password with a simple script, such as a Python script written by Dunstan.

Making matters worse, running such a script wouldn't necessarily be required to gain access to Bob's account. Using Directory Services, a user could change a logged-in user's password -- without requiring authentication -- using this command: $ dscl localhost -passwd /Search/Users/bob

Notably, the targeted user's account could just as easily include admin privileges.

In order to pull off this hack, the perpetrator would require local access, though an outsider using social engineering could dupe a user to surrender the information. Additionally, a malicious insider could use his or existing information and wreak havoc if an admin left a machine without first logging out. Further, the user would need to access Lion's Directory Services -- another feat that would not be overly difficult in an environment with relatively lackluster security.

MacFixIt blogger Topher Kessler offered advice on how organizations can avoid being subject to these vulnerabilities. They include disabling automatic log-ins in Mac OS X; enabling sleep and screensaver passwords; disabling guest accounts (as well as accounts not in use); and better managing user privileges, such as allowing no greater permissions than necessary.

Read more

Friday, September 9, 2011 Xss Vulnerability


Read more

Sunday, September 4, 2011 Sql injection Vulnerability

0 (Secretariat for European Affairs) is Vulnerability to Sql injection.

Vul link:

Usernames, Pass, E-mails will not be posted.

Read more

About Me

My photo
Блог за истражување и развој на информациска безбедност, кој е наменет за постирање на најнови ранливости и слабости. Founder darknessn1k0!4

Design by ThemeShift | Bloggerized by Lasantha - Free Blogger Templates | Best Web Hosting