ProcGate by topjohnwu
https://medium.com/@topjohnwu/from-anime-game-to-android-system-security-vulnerability-9b955a182f20
A massive amount of Android devices are affected by a bug that causes /proc to be mounted without hidepid=2, which opens up the ability for unprivileged applications to read many information of other processes. Google promptly updated its Compatibility Test Suite (CTS) to prevent any future systems* containing this bug from shipping to end users. This vulnerability is not severe but still should be fixed since it is part of the Android application sandbox. The way to mitigate this issue is either through a system upgrade, or remounting /procwith proper flags with root permission.
I created the app ProcGate to let you detect (no root) and fix this issue (only if rooted), you can download it here:
https://github.com/topjohnwu/ProcGate/releases/
📡 @op5_files
#procgate #bug
https://medium.com/@topjohnwu/from-anime-game-to-android-system-security-vulnerability-9b955a182f20
A massive amount of Android devices are affected by a bug that causes /proc to be mounted without hidepid=2, which opens up the ability for unprivileged applications to read many information of other processes. Google promptly updated its Compatibility Test Suite (CTS) to prevent any future systems* containing this bug from shipping to end users. This vulnerability is not severe but still should be fixed since it is part of the Android application sandbox. The way to mitigate this issue is either through a system upgrade, or remounting /procwith proper flags with root permission.
I created the app ProcGate to let you detect (no root) and fix this issue (only if rooted), you can download it here:
https://github.com/topjohnwu/ProcGate/releases/
📡 @op5_files
#procgate #bug
Medium
From Anime Game to Android System Security Vulnerability
Hello, I’m @topjohnwu, the developer of the popular Android modding tool: Magisk. In this article I’d love to share the whole journey from…
Eli Grey @sephr on twitter says:
One of these screenshots is a draft email to the real PayPal support. The other one is to a scammer.
Both screenshots are identical.
Unfixed vulnerability in all Google Inbox mobile apps: https://eligrey.com/blog/google-inbox-spoofing-vulnerability
PoC demo (open with Google Inbox app): https://dangerous.link/paypal-locked
From https://twitter.com/sephr/status/1064962729889288192
#vulnerability #bug #gmail #inbox
One of these screenshots is a draft email to the real PayPal support. The other one is to a scammer.
Both screenshots are identical.
Unfixed vulnerability in all Google Inbox mobile apps: https://eligrey.com/blog/google-inbox-spoofing-vulnerability
PoC demo (open with Google Inbox app): https://dangerous.link/paypal-locked
From https://twitter.com/sephr/status/1064962729889288192
#vulnerability #bug #gmail #inbox
Vulnerabilities in Google Drive and Google Photos allowed others to steal your files
https://blog.avatao.com/How-I-could-steal-your-photos-from-Google
📡 @NoGoolag
#google #drive #photos #vulnerability #bug #leak #why
https://blog.avatao.com/How-I-could-steal-your-photos-from-Google
📡 @NoGoolag
#google #drive #photos #vulnerability #bug #leak #why
Mozilla has pushed out an update to patch a critical vulnerability in Firefox
It’s urging users to update as quickly as possible — and it’s joined in that warning by the US government.
Chinese cybersecurity firm Qihoo 360 reported the zero-day exploit. Mozilla claims to be aware of “targeted attacks in the wild abusing this flaw”
https://thenextweb.com/security/2020/01/10/upgrade-firefox-critical-vulnerability
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17026
#ff #firefox #update #security #flaw #bug
It’s urging users to update as quickly as possible — and it’s joined in that warning by the US government.
Chinese cybersecurity firm Qihoo 360 reported the zero-day exploit. Mozilla claims to be aware of “targeted attacks in the wild abusing this flaw”
https://thenextweb.com/security/2020/01/10/upgrade-firefox-critical-vulnerability
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17026
#ff #firefox #update #security #flaw #bug
The Next Web
You’re going to want this latest version of Firefox, trust us
Mozilla has pushed out an update to patch a critical vulnerability in Firefox. It’s urging users to update as quickly as possible — and it’s joined in that warning by the US government. Chinese cybersecurity firm Qihoo 360 reported the zero-day exploit. Mozilla…
Forwarded from Rahul Patel
AppWarden_v1.0.1_build5.apk
4.7 MB
Hey all !
Attaching you all the new alpha build of App Warden - App management utility.
Warden allows you to scan and find all trackers & loggers present in device.
It also lists all components (Activity, Services, Receivers & Permissions) *, you can also get exodus report for any available app.
Key Features :
1. Static code analysis
2. Scan all apps together & generate comprehensive report
3. Pie charts to show top trackers & loggers**
4. Allows you to manage component & permission*
* Requires root & WIP
** Loggers in the context of Warden mean all utilities which are used to log user activity on an app or logcat in general. Not all loggers are evil. But few logging tools like ACRA, xLog are very powerful tools that can send user data to devs without user's consent.
#Bug reports & suggestion are always welcome
@AuroraSupport @AuroraOSS
Attaching you all the new alpha build of App Warden - App management utility.
Warden allows you to scan and find all trackers & loggers present in device.
It also lists all components (Activity, Services, Receivers & Permissions) *, you can also get exodus report for any available app.
Key Features :
1. Static code analysis
2. Scan all apps together & generate comprehensive report
3. Pie charts to show top trackers & loggers**
4. Allows you to manage component & permission*
* Requires root & WIP
** Loggers in the context of Warden mean all utilities which are used to log user activity on an app or logcat in general. Not all loggers are evil. But few logging tools like ACRA, xLog are very powerful tools that can send user data to devs without user's consent.
#Bug reports & suggestion are always welcome
@AuroraSupport @AuroraOSS
Forwarded from BlackBox (Security) Archiv
Bitcoin Inventory Out-of-Memory Denial-of-Service Attack - Researcher kept a major Bitcoin bug secret for two years to prevent attacks
The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains.
In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn't received the patch.
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems.
👀 👉🏼 CVE-2018-17145: Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (pdf)
https://invdos.net/paper/CVE-2018-17145.pdf
👀 👉🏼 https://www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks
#researcher #bitcoin #bug #INVDoS #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains.
In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn't received the patch.
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems.
👀 👉🏼 CVE-2018-17145: Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (pdf)
https://invdos.net/paper/CVE-2018-17145.pdf
👀 👉🏼 https://www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks
#researcher #bitcoin #bug #INVDoS #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
The code that wasn't there: Reading memory on an Android device by accident | The GitHub Blog – 2023
#Android #Vulnerability #Bug #Qualcomm
The bug was a somewhat accidental find, and although it can only be used to leak information, it is nevertheless a very powerful bug that can be used to leak large amounts of information to a malicious Android app; it can be used an unlimited number of times with no adverse effects on the running state of the phone. I’ll show how it can be used to leak information at the page level in the user space and kernel space. I’ll then use the kernel space information leak to construct a KASLR bypass. From a vulnerability research point of view, it’s also a rather subtle and perhaps one the most unusual bugs that I’ve ever found#Android #Vulnerability #Bug #Qualcomm