How Banks Make Online Banking Insecure Through Apps

1. App obligation

Online banking on the smartphone is generally not a good idea. The reason for this is not necessarily the banking apps, but the update policy of the smartphone manufacturers, the misleading advertising of the banks and the naive behavior of the customers. However, all this does not seem to bother the banks much. True to the motto:

"Digital first - Concerns second"

banking apps are made appealing to loyal customers and any risks are simply pushed aside. The fact is: with smartphone apps, banks have moved to a platform that they cannot control. Nevertheless, banking apps are promoted and security mechanisms such as two-factor authentication (2FA) are simply undermined by ill-considered decisions. In the end, online banking via app is not more secure, but exactly the opposite.

1st problem: Android update policy

Both software and hardware have weaknesses, some of which are so serious that attackers can take complete control of a system. It is therefore essential to import available (system) updates promptly in order to keep the risk for data and the digital identity as low as possible. That's the theory. In practice, the world looks very different again - especially in the Android world.

Most Android devices are usually only neglected by many manufacturers with regard to security updates, and at some point they are even completely violated. This inevitably creates a "vacuum" in the Android world that makes many or most devices vulnerable to critical security vulnerabilities. Such vulnerabilities enable attackers to gain control over the device, spy on the user or allow data to flow off unnoticed. Discovering a critical vulnerability would be enough to make millions of devices vulnerable in one fell swoop. Such serious vulnerabilities are not rare, but occur at regular intervals. In 2018 alone, 611 vulnerabilities were identified in Android - in 2017 even 842.

Full translated article:
https://telegra.ph/How-Banks-Make-Online-Banking-Insecure-Through-Apps-07-09

Source (🇩🇪):
https://www.kuketz-blog.de/wie-banken-online-banking-durch-apps-unsicher-machen/

#Kuketz #online #banking #smartphone #apps #insecure #vulnerabilities
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

Shodanfy.py

Get ports, vulnerabilities, informations, banners,..etc for any IP with Shodan (no apikey! no rate limit!)

💡 Usage:

# python3 shodanfy.py <ip> [OPTIONS]
e.g:
python3 shodanfy.py 111.111.111.111
python3 shodanfy.py 111.111.111.111 --getports
python3 shodanfy.py 111.111.111.111 --getvuln
python3 shodanfy.py 111.111.111.111 --getinfo
python3 shodanfy.py 111.111.111.111 --getmoreinfo
python3 shodanfy.py 111.111.111.111 --getbanner
python3 shodanfy.py 111.111.111.111 --getports --getvuln
python3 shodanfy.py 111.111.111.111 --proxy 127.0.0.1:8080
# support pipeline, --stdin option is required..
# echo "<ip>" or cat ips.txt | python3 shodanfy.py --stdin [OPTIONS]
e.g:
echo "111.111.111.111"|python3 shodanfy.py --stdin
echo "111.111.111.111"|python3 shodanfy.py --stdin --proxy 127.0.0.1:8080
echo "111.111.111.111"|python3 shodanfy.py --stdin --getvuln
cat ips.txt|python3 shodanfy.py --stdin --getports
dig google.com +short A | grep -oi '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | python3 shodanfy.py --stdin --geports

👉🏼 https://github.com/m4ll0k/Shodanfy.py

⚠️ Always remember to use these techniques, instructions or hardware only with devices whose owners or users have allowed this !! The unauthorized access to foreign infrastructure is punishable by law.

#shodan #vulnerabilities #pentesting
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Backdoors and other vulnerabilities in HiSilicon based hardware video encoders

Update 2020-09-17: Huawei issued a statement saying that none of the vulnerabilities have been introduced by HiSilicon chips and SDK packages. I will update this article as more information comes in.

This article discloses critical vulnerabilities in IPTV/H.264/H.265 video encoders based on HiSilicon hi3520d hardware. The vulnerabilities exist in the application software running on these devices. All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device. With multiple vendors affected, and no complete fixes at the time of the publication, these encoders should only be used on fully trusted networks behind firewalls. I hope that my detailed write-up serves as a guide for more security research in the IoT world.

👀 👉🏼 https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/

👀 👉🏼 🇩🇪 https://www.heise.de/news/Backdoors-in-Video-Encodern-auf-Huawei-Chips-entdeckt-Ursprung-unbekannt-4905641.html

#hisilicon #hardware #video #encoder #vulnerabilities #huawei #chips #backdoors
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Setup for testing Android app vulnerabilities

In the previous article I documented my approach for reverse engineering an Android game. But getting my hands on the code is only one part of security research. Once a potential issue is identified, I need to verify that it is actually exploitable. So there is no way around messing with an actual live app. Ideally that has to happen in a controlled environment with emulated hardware. As before, this is mostly me writing things down for my future self, but it might come useful for other people as well.

💡 Contents

✅ Choosing a virtualization approach

✅ Setting up Android SDK

✅ Minimal proof of concept Android app

✅ Adding debugging output to the target application

https://palant.info/2021/02/22/setup-for-testing-android-app-vulnerabilities/

#setup #testing #android #app #vulnerabilities #guide
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Allow arbitrary URLs, expect arbitrary code execution

We found and reported 1-click code execution vulnerabilities in popular software including Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble

Desktop applications which pass user supplied URLs to be opened by the operating system are frequently vulnerable to code execution with user interaction

Code execution can be achieved either when a URL pointing to a malicious executable (.desktop, .jar, .exe, …) hosted on an internet accessible file share (nfs, webdav, smb, …) is opened, or an additional vulnerability in the opened application’s URI handler is exploited

Vulnerabilities following this pattern have already been found in other software, with more expected to be revealed going forward

https://positive.security/blog/url-open-rce

#vulnerabilities #url #arbitrary #code #execution #poc #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

How do You Hack #Whatsapp Chats? - 7 #Vulnerabilities Explained

https://hackernoon.com/how-to-hack-whatsapp-chats-9f203tq0

Leveraging Android Permissions: A Solver Approach – Thalium - 2022

The logic of the rules behind this system are mostly implemented in two framework services: PermissionManagerService and PackageManagerService.

Recently, those components have suffered from several vulnerabilities that were found through fuzzing. They led to critical privilege escalation without user consent.

In this blog post, we first present a case study of a permission management vulnerability. Then, we describe the solver approach we followed to help in the vulnerability research. Eventually, we explain a new vulnerability that was discovered thanks to the solver, and which was reported to Google.

#Cybersecurity #Vulnerabilities #ApplicationPermissions #Android

Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure | The Citizen Lab –
26/10/2023

The information collected by, and stored within, mobile networks can represent one of the most current and comprehensive dossiers of our life. Our mobile phones are connected to these networks and reveal our behaviours, demographic details, social communities, shopping habits, sleeping patterns, and where we live and work, as well as provide a view into our travel history. This information, in aggregate, is jeopardized, however, by technical vulnerabilities in mobile communications networks.

#Vulnerabilities #mobile #Networks

When You Roam, You’re Not Alone | Lawfare –

A fix is long overdue for one of the most extensive, yet lesser-known surveillance risks of our age: the technical vulnerabilities at the heart of the world’s mobile communications networks

We’ve all been there before: You’re traveling abroad, and as your plane lands and is taxiing to the gate, you reach for your phone, wait for it to connect to the local network, and then you are greeted with a text message: “Welcome abroad, you’re now roaming!” Beyond the exorbitant fees, few of us are likely to give the matter much thought.

However, hidden within this seemingly routine transaction lies one of the most extensive, yet lesser-known surveillance risks of our age: the technical vulnerabilities at the heart of the world’s mobile communications networks.

#Mobile #Network #Cellular #Roaming #Vulnerabilities

Physical Attacks Against Smartphones

Android devices are constantly improving their security to protect against attackers with physical access, with new protection techniques being added year-by-year. This talk aims to demonstrate vulnerabilities in modern Android smartphones that are still viable, despite the mitigations in place.

In the first phase of this talk, we will discuss the analysis and exploitation of vendor-customized versions of Android's Recovery mode, demonstrating weaknesses that allow for privilege escalation to root, and traversal from Recovery to Android, without Bootloader access....

By: Christopher Wade

Full Abstract and Presentation Materials:https://www.blackhat.com/us-23/briefings/schedule/#physical-attacks-against-smartphones-32485

#Android #Vulnerabilities #RecoveryMode #Exploit #PrivilegdeEscalation #Root

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

Modern video encoding standards such as H.264 are a marvel of hidden complexity. But with hidden complexity comes hidden #security risk. #Decoding video today involves interacting with dedicated #hardware accelerators and the #proprietary, privileged software components used to drive (#driver) them. The video #decoder ecosystem is obscure, opaque, diverse, highly privileged, largely untested, and highly exposed -- a dangerous combination.

We introduce H26Forge, a framework that carefully crafts #video files to expose edge cases in H.264 decoders....

By: Stephen Checkoway , Hovav Shacham , Willy Vasquez

Full Abstract and Presentation Materials

#VideoEncoding #Vulnerabilities #Security #Codec #H264 #Exploit

Bypassing the “run-as” debuggability check on Android via newline injection | Meta Red Team X –

An attacker with ADB access to an Android device can trick the “run-as” tool into believing any app is debuggable. By doing so, they can read and write private data and invoke system APIs as if they were most apps on the system—including many privileged apps, but not ones that run as the system user. Furthermore, they can achieve persistent code execution as Google Mobile Services (GMS) or as apps that use its SDKs by altering executable code that GMS caches in its data directory.

Google assigned the issue CVE-2024-0044 and fixed it in the March 2024 Android Security Bulletin, which becomes public today. Most device manufacturers received an advance copy of the Bulletin a month ago and have already prepared updates that include its fixes.

#Infosec #Vulnerabilities #CVE #Android #ADB

Attacking Android

"In this comprehensive guide, we delve into the world of Android security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise Android devices and infiltrate their sensitive data. From exploiting common coding flaws to leveraging sophisticated social engineering tactics, we explore the full spectrum of attack surfaces present in Android environments."

#Android #Infosec #Vulnerabilities

AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers

We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With #JavaScriptInjections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.

By: Ankit Gangwal , Shubham Singh , Abhijeet Srivastava

Full Abstract and Presentation Materials

#Android #Vulnerabilities #PasswordManager #AutoSpill