Application Security News

Print Friendly, PDF & Email

Danish Reporters scrape and publish data from 70000 OKCupid profiles

A student and a co-researcher have publicly released a dataset on nearly 70,000 users of the dating site OkCupid, including their sexual turn-ons, orientation, usernames and more. And critics say it may be possible to work out users' real identities from the published data…

… The data was collected between November 2014 to March 2015 using a scraper—an automated tool that saves certain parts of a webpage—from random profiles that had answered a high number of OkCupid's multiple-choice questions.

Website of Mr.Robot, a TV Series about hacking, found to have multiple security vulnerabilities

USA Network's “Mr. Robot“, a show about a hacker uncovering corporate corruption, has been praised for its realistic depictions of hacking, but that savvy hasn't quite spilled over into the real world. When the “Who is Mr Robot” website launched in preparation for the second season (you can watch the newly launched trailer above), Forbes reported, a white hat hacker by the name of Zemnmez found a cross-site scripting flaw that could have exposed Facebook users completing a quiz on the website.

A second flaw, found by a hacker by the name of corenumb, left the site vulnerable to blind SQL injection, which allows data to be stolen from the website's database. Both hackers notified NBC Universal, which has since patched the flaws.

  Barracuda Vulnerability Manager  
The Easiest Way to go from
Detecting to Securing
against Website Vulnerabilities.
Learn more:
Official Product Site
Corporate Blog

Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

The first in a series of stories (always encouraging!) that Matthew Bryant is posting on how he compromised companies via cross-site scripting.

During the course of his attempts to compromise the GoDaddy site, Matthew had set a blind XSS payload on the site. And he then forgot about it, till he had to call their customer care for an unrelated problem. What followed?

Later on I called GoDaddy’s customer support to try to get a domain transferred to a different registrar. The agent appeared to be having trouble looking up my account due to their systems “experiencing issues”. It was then my phone vibrated twice indicating I had just gotten two emails in rapid succession. As it turns out, those emails were notifications that my previously planted XSS payloads had fired.

The impact of this vulnerability is quite scary:

Using this vulnerability I could perform any action as the GoDaddy customer rep. This is a bad deal because GoDaddy representatives have the ability to do basically anything with your account.

The vulnerability has since been fixed.

Web applications today are under attack from multiple sources. Even those that are most carefully coded will have some vulnerabilities – either in some common library that is used, such as ImageMagick, or introduced by coding errors.  Catching all the vulnerabilities on a web application is a never-ending game of whack-a-mole. The Barracuda Web Application Firewall makes this a very easy task for your all your web and mobile applications.

 

The Barracuda Web Application Firewall can be deployed and configured to secure your website easily with minimal effort. The Barracuda Web Application Firewall provides complete security against all web attacks, including DDoS and web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air.  Try it in your environment for 30 days, risk-free.


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office.  You can connect with him on LinkedIn here.

 

 

Scroll to top
Tweet
Share
Share