Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

  • Evernote: XOR & Passwords

    Update: Evernote has reported that this issue has been addressed. Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials. /data/data/com.evernote/shared_prefs/com.evernote_preferences.xml The username in located in the <string name="username"> element, and the password is stored in <string name="encrypted_password"> – from the name you’d assume that the password is actually encrypted.

    Read more…

  • Evernote: Doing it (mostly) right

    (Update: See here for more information about what they did wrong, including a vulnerability I found in the password handling of the Android app.) So the big news today is Evernote being popped; with 50m users and user base that often stores sensitive material – it certainly is a tempting target for many reasons. Important: Evernote just implemented a service-wide password reset. Please read our post for details and instructions http://t.

    Read more…

  • Revisiting Snapchat API & Security

    As Shapchat has increased in popularity, I’ve been asked several times to revisit my Snapchat API & Security post, to address the changes that they made in response to my complaints. So, here is it – sorta. I started making detailed notes and looking at the changes they made – but yesterday @tlack made that mostly irrelevant with his release of Snaphax, a PHP library to interact with the undocumented Shapchat API.

    Read more…

  • Netgear Admin Password Disclosure

    Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named /cgi-bin/<model>.log – if the device is vulnerable, you’ll get something like this: >curl http://&lt;ip&gt;/cgi-bin/WNR2000XT.log Admin login name admin Admin password <snip> Country Europe Wireless network name (SSID) wireless_ext Wireless channel 6 Security type WPA2-PSK(AES) Wireless passphrase <snip> The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received.

    Read more…

  • UPEK Windows Password Decryption

    On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have. We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability.

    Read more…

  • WordPress: Don’t trust that update

    Want to know the easiest way to hack most of the WordPress installs on a host? It’s as easy as attacking the host’s internal DNS server, then just sitting back and waiting on users to install your backdoor. If you can manage to change the IP address that “api.wordpress.org” resolves to, you’ve won the battle. I can’t take credit for finding this, it was pointed out on Twitter: tweet deleted

    Read more…

  • NeoInvoice Blind SQL Injection (CVE-2012-3477)

    NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in signup_check.php. The input for the value field isn’t being properly sanitized, and is used in string concatenation to create the SQL query: require_once("config.php"); if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) { $field = $_GET['field']; $table = 'user'; $taken = '0'; $not_taken = '1'; } else if (isset($_GET['field']) && $_GET['field'] == 'coupon') { $field = 'name'; $table = 'coupon'; $taken = '1'; $not_taken = '0'; } else { die("&lt;div class=\"error\"&gt;Invalid Field&lt;/div&gt;"); } if (!

    Read more…

  • Decrypting Spark Saved Passwords

    A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal. So, within a few minutes I found all of the details – and none of them make me feel any better.

    Read more…

  • Yahoo’s Associated Content Hacked?

    Update: TrustedSec has a write up: Yahoo! Voice compromised. Over 400K clear-text accounts. Analysis and story here: http://t.co/B8ko49pB – Still unconfirmed. — TrustedSec (@TrustedSec) July 12, 2012 Earlier today a group called “D33Ds Company” released a large (17MB) dump from a Yahoo server. The dump includes information from a MySQL database, and the email addresses and passwords from over 450k users. Based on some of the emails and the naming of the tables, I suspect that the data is from Associated Content – a company that Yahoo bought in 2010, and closed in 2011 – replacing it with Yahoo Voices.

    Read more…

  • Assange, Ecuador, and the Cyberarmy

    ALERT: Julian Assange has requested political asylum and is under the protection of the Ecuadorian embassy in London http://t.co/bz4O9bjF — WikiLeaks (@wikileaks) June 19, 2012 The news that Julian Assange has asked Ecuador for political asylum is flooding twitter as his supporters do their best to attract attention to his cause, and rally everyone they can to contact Ecuador’s embassy in London to urge them to grant Assange’s request. While I’ve watched the Assange case since before the first allegations came out of Sweden – that’s not my interest here, my interest is in what Ecuador could do if they wanted to.

    Read more…