IntroductionTelecommunications companies nowadays became huge enough to have millions of subscribers under its hood, those companies are doing their best to digitalize and revolutionize their online services to serve the needs of the mass subscribers, In a result of this digitalization process, many security weakness may appear which could affect the safety of customers data […]
إزاى تحمي نفسك إفتراضياً ومادياً دى عبارة عن نصائح موجودة فى صورة تصنيفات احنا بننصح بيها فى Seekurity، هتقدر بالنصائح دى تحمى نفسك وخصوصيتك سواء لو كنت بتستخدم كمبيوتر او موبايل وانت اونلاين، النصائح دى لا تنطبق على الناس المخترقة بالفعل لان دا بالنسبالهم هتبقى سيناريوهات ملهاش لازمه، والسؤال الفلسفى اللى هوا اعرف انا […]
Web Applications nowadays are capable of making online video and audio chatting and sometimes without even the need of external *plugins* or *extensions* Hooray! From usability perspective this is something so cool and very helpful but we are not here for usability, Usability is always cool but when it comes to security concerns, the whole […]
Hey, it’s Seif, again and again… Today I’m gonna show you how to verify any (unused) email on twitter account without having access to the email itself But the important question, why to verify an email on a Twitter account ?Twitter email verification is compulsory, you can not create an account without verifying the email […]
Los gobiernos en México, tanto municipales, estatales o federales, tienen poco o nulo interés por la seguridad informática. Tras un trabajo de investigación, encontramos más de dieciséis sitios gubernamentales, vulnerados y que permanecen en el abandono o que sus administradores no se han dado cuenta que alguien los ha hackeado. Anteriormente Seekurity notificó a instancias […]
Hi Everyone, It’s Seif Elsallamy here, I have been away for a while, I really miss doing the stuff i’m good at, Yes breaking things, here take a look at my old posts. I’m back again to all of you with a cool denial of service bug I’ve discovered in Twitter but before diving in […]
Hi Folks, This is the third part of A brief on Abusing Invitation Systems blog post, In case you have missed the previous parts of this story of write-ups, it is advised to have a sneak peak at the First Second part before you go on with this post. So before we kick off to […]
Let’s start with a simple question, what is Physical Security? and why it’s important? Based on techtarget.com’s article: Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural […]
In this write-up we will show you how Seekurity team was able to harvest all the user’s private/custom activities leaves more than 20 million private custom activities data in danger. First of all, this write-up is not a new one and the discovery itself is dated back to 2017 but we decided to disclose it […]
TL;DR Today’s bug is a trivial bypass one which if exploited will give the attacker the ability to download a large file regardless of the quota limits that Google put in place as a mitigation/control for any kind of abuse.
“الحقونى، ملفاتى كلها اتشفرت” تقريباً مفيش اى حد مسمعش عن تطبيقات الفدية الخبيثة، واحد من اصل ١٠ اشخاص بيصابوا بيها، ومفيش مره ننزل فيها بوست على فيسبوك غير لما يكون فى على الاقل كومنت من نوع “الحقنى ملفاتى اتشفرت” او “الحقنى ملفاتى كلها اتغير امتدادها ومبقتش تفتح” او “سكرين شوت من سطح المكتب وكل […]
El pasado 31 de Noviembre fuimos invitados por la comunidad de Women Who Code Mexico City para dar una charla relacionada a la Seguridad Informática en las oficinas de Linio México. Nuestra charla se enfocó en 3 temas “Sexting, extorsión sexual y el Ciberacoso“, ya que en los últimos años, los casos de extorsión sexual y el ciberacoso por […]
TL;DR A year ago we have been contacted by one of our clients from Middle east regarding looking for/implementing a payment processing solution for their own eCommerce solution and asked us to assist them in order to give them some candidates working in the same field in the middle east but we refused because our […]
موضة جديدة اتبعتها المواقع حديثا وهيا الكسب من خلال تعدين العملات الرقمية بدلا من استخدام اعلانات Google Ads او اى خدمة اعلانات اخرى على امل تحقيق مكسب اسرع، فى التحقيق دا هنتكلم عن جريدة “الاهرام اونلاين” وتعدين العملات الرقمية، واحد من متابعينا بتاريخ ٩ نوفمبر ٢٠١٨ بعتلنا على الصفحة الرسمية ل Seekurity ان موقع “جريدة […]
Today’s discovery is not a big deal, just another Clickjacking in the world, this time in Hak5’s C2 (Cloud Command and Control) Server First, let us know what is Hak5’s C2 (Cloud Command and Control) Server? Hak5 C2 is a cloud self-hosted penetration testing platform lets you perform “Pentest from Anywhere” by connecting and using […]
Una campaña de extorsión está tomando por sorpresa a muchas personas y al día de hoy (25-Sept) ha recaudado 0.66982408 Bitcoins (Aproximadamente $4,288.51 dólares) y la cifra seguirá aumentando. URL al Wallet: https://seekurity.com/services/goto/3i El mensaje pretende haber sido enviado por un extorsionador que ha “hackeado” su computadora y ha activado la cámara web de la computadora para […]
In this blogpost we will clarify how we found A tail of vulnerabilities from leaking thousands of Job Applicants CVs and documents online to Path Disclosure and Information Disclosure Vulnerabilities in one of United Nations WordPress websites but first what is United Nations? The United Nations (UN) is an intergovernmental organization tasked to promote international […]
Hi Guys, I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook […]
Exponer información sensible a internet es un tema delicado, principalmente cuando los motores de búsqueda como Google pueden estar en contra tuya gracias a las malas prácticas o malas configuraciones implementadas en los sistemas. Así como durante Abril del 2016 la lista de 93 millones de votantes mexicanos estaba expuesta públicamente en servidores de Amazon, […]
What is Asus Control Center? ASUS Control Center is a whole new centralized IT management software. The software is capable of monitoring and controlling ASUS servers, workstations, and commercial products including notebooks, desktops, All-in-One (AiO) PCs, thin client, and digital signage.
“101 دليلك فى البرمجة ومجال امن وحماية واختبار اختراق تطبيقات الويب” “ازاى ابدأ فى مجال اختبار اختراق تطبيقات الويب؟” – “ازاى ادخل مجال ال Web Application Security Pentesting” دا مثال للأسئلة اللى بنستقبلها مراراً وتكراراً، كنت كتبت بوست قبل كدا بيشرح كل دا من A to Z هنزله النهارده تانى بس فى صورة مقال علشان […]
Hace algún tiempo mientras realizabamos una búsqueda en Google de archivos con extensión “TXT”, nos encontramos con que Google había indexado un archivo de una URL que contenía un nombre muy familiar… Aliada. Para los que no conocen que es Aliada, aquí la descripción que se encuentra en su sitio web: “Aliada es la plataforma […]
Hi Guys, Today i would like to show you how a single misconfiguration issue would jeopardize the user’s privacy if maliciously exploited hence hijack user “access_token” from Microsoft Office360 facebook App. Microsoft decided that this Office365 facebook app is NOT under their Microsoft Online Services bug bounty scope although we proved that our discovered bug can result in […]
During a quick trial security assessment (not fully tested) of Crea8Social Social Network Script our team at Seekurity.com SAS de C.V. identified several severe Cross-Site Scripting Vulnerabilities in the platform that been widely used on the internet to create your own social network website (BTW this script used in the alleged new Egyptian Facebook named […]
(Photo Illustration by Thomas Trutschel/Photothek via Getty Images) Hi Guys, I hope all of you are doing great and in a well state. Today i will show you a ClickJacking bug i found in Instagram that allowed me to iframe ajax responses and leads attackers to steal your instagram connected applications tokens hence hijack your […]
Hi Guys, How are you doing? Well i’ll consider and hope the answer is “Fine”… Today i will show you a bug i found in Facebook without even using any kind of testing tools BUT those kind of bugs requires what’s more than tools, it requires a hawk-eye, A platform-aware bug hunter mentality, a poet and […]
Hi Folks, Long time no see, it’s Seif Elsallamy, Remember me ? if not 🙁 you may go through my previous blogs Stored XSS in the heart of the Russian email provider giant (Mail.ru) , Rolling around and Bypassing Facebook’s Linkshim protection on iOS Today I’m gonna show you a race condition bug which i recently fall […]
[-] About the Tool: Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP. [-] Tool Benefits: One of its most enticing functions is the […]
Introduction Bitcoin mining websites became the new fashion of 2017 and there is no dust on that but when it comes to compromise websites to host such fashion it becomes a headache (well to the consumers at least). Have you heard about KRACK the WPA2 vulnerability? If you did you probably was searching for your […]
Hey Folks, Welcome back again, This is Ali Kabeel in case you don’t remember me read my first blog about Abusing invitations systems. In this blog we will be continuing our talk about Business logic bugs and how dangerous and simple they can become, I will be showing you one of the simplest yet […]
Supp!, How are you guys! I hope you’re fine, I’m Seif Elsallamy (again) if you don’t remember me read my previous blog here: Stored XSS in the heart of the Russian email provider giant (Mail.ru) Before we go in depth, lets know What is Linkshim ?
Hi Guys, I am Ali Kabeel an Application Security Intern at Seekurity team. This is my first blog i hope you like it. In this blog post I will be mainly focusing on Business Logic vulnerabilities by offering some tips and tricks on how to abuse invitation systems using real-world examples from my Facebook Bug […]
Today we will talk about a session management vulnerability affects OpenProject with all its version before 6.1.6 (old Stable) and 7.0.3 (latest stable) and may lead to accounts compromise and perform unauthorized actions via physical access to the logged in user session. but first lets know some general info. First what is OpenProject? OpenProject is […]
Hi Guys, Today we will discuss about a basic hunt of a reflected cross site vulnerability in SimpleRisk platform but first lets know some general details about the platform itself What is SimpleRisk? SimpleRisk is an open-source risk management system released under Mozilla Public License and used for risk management activities. It enables risk managers […]
Hi, I’m Seif Elsallamy a bug hunter from Seekurity Team, Today i will show you a critical reflected Cross Site Scripting bug affecting mail.ru and could be used as an XSS worm but first let’s dive into some general information.
Hi Guys, I hope you all are fine and doing well. Yes you read it right, We managed to find a vulnerability in a framework used to exploit vulnerabilities! “Today is me tomorrow will be you” 🙂 Today we will talk about a CSRF vulnerability affects the web application of both versions (Express, […]
Hey There, How you doing? Good? Cool! In this blog post I will be talking about my experience with minor bugs chained together to steal sensitive tokens. #1. Stealing CSRF tokens through Google Analytics. While randomly testing things on apps.shopify.com, I landed at some random app page and hit the Write a review button, I […]
Hey Folks, My name is Mahmoud, a web application penetration tester, I have recently joined Seekurity and today I will share with you the details of the National Cyber Security CTF we recently had in Egypt. This year, CyberTalents organised a cyber security CTF in Egypt sponsored by Trend Micro which is probably the largest and […]
Pic Source: zona3.mx/sites/default/files/Facebook-Messenger-iPhone-6.png This article was originally covered by Tom Spring of ThreatPost. On Tuesday, Seekurity Founder and Cyber Security Advisor, Mohamed A. Baset, published a proof-of-concept video demonstrating what he calls a Facebook flaw that allows an attacker to access audio or video files from Facebook servers and play them back. Facebook is dismissing […]
Hi Folks, Days ago, one of our clients received an email with the next subject in Spanish: “Problemas con tu membresia de Netflix” (Problems with your Netflix membership). The email was in his SPAM folder with the follow caption: “Be careful with this message. It contains a suspicious link that has been used to steal […]
Hi Folks, Let me tell you the story about some typical vulnerabilities that was discovered by @Seekurity Team in BMW ConnectedDrive service which will allow any beginner attacker to hijack the whole service! . First what is BMW ConnectedDrive service? BMW ConnectedDrive – a technology packet full of services and apps that connects you closely to […]
RunKeeper is a GPS fitness-tracking app for iOS and Android with over 40 million users. First launched in 2008 by CEO Jason Jacobs with the help of “moonlighting engineers”. In late 2011 RunKeeper secured $10 million in a Series B financing, led by Spark Capital. In February, 2016, RunKeeper was acquired by ASICS.
What is Cookie stuffing fraud? Is an activity which allows actors online to defraud affiliate marketing programs by causing themselves to receive credit for purchases made by web users (for this case users who made an online purchase in Amazon, Walmart, eBay or any other Online Store), even if the affiliate marketer didn’t actively […]
Hi Folks, TopCode.com is a website where the most skilled top coders around the world are solving challenges, Competing and writing codes to achieve a specific tasks. Top high profile companies like (Facebook, Google, Twitter, etc..) are getting help from such websites in their recruitment process!
Introduction: Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best! Yammer is a freemium enterprise social networking service used for private communication within organizations. Access to a Yammer network is […]
Your privacy on the internet is the biggest concern ever and when it comes to “Dating websites” and “Social Networks” it means more and more! Let me tell you a story of two websites that don’t respect yours and putting it on danger…
Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk. Fiverr raised $30 million in a third round of institutional funding to continue supporting the new version of its […]
Hi Folks, My name is Mohamed Abdel Aty, an Egyptian Web Developer & Bug Hunter, Today I would like to share with you a “cute” bug I found while doing some bug hunting in Facebook. Testing different sub-domains is a common procedure in bug hunting , while searching the domain “mbasic.facebook.com” I noticed this link
Introduction: Physical devices connected with web applications made everything easy to be managed. Screen size, availability, usage etc… is what pushing everyone to manage their devices through their desktops/laptops! On the other hand such advantages poses a threat if these web applications contains security issues! For example android devices can be managed through “Google Device Manager”, iOS devices […]
Hi Folks, Facebook is the largest social network ever known on the internet, People are using Facebook for contacting friends, Family and sometimes for Work! When it comes to Work that means an important notifications from your company’s page, work account, work admins, business accounts, etc…
Hi Folks, I know it’s a little bit lame to mention 2 clickjacking vulnerabilities in row but that what bug hunters always do exposing the largest companies security failures, (Previously was Telegram) this time is the gigantic well-known 19 billion dollar messenger WhatsApp.
[*] Introduction: Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!
Adopting new technologies such as VoIP by small, medium and large companies, isn’t only about the benefit representing a decrease in costs, is about an risk increase exposure too, which can be reflected in the payment of large sums of money , because (national or international) calls made by people outside the company.