Posts

Unauthorised Accessing of Google Calendar Invites

Image
Unauthorised Accessing of Google Calendar Invites Google Calendar, a common and very well known feature that everyone uses for scheduling and organising meetings within an organisation that uses " Google for Work ". The Bug! Failure to restrict the access to unauthorised personal. Story, While scheduling a meeting with my work team to present a demo, I came across the functionality in Google calendar to add groups as guest. Once a group is added, Calendar will automatically expands the group and adds all members to the meeting. While doing so, it prompts the organiser if (s)he wants to send the meeting invites to the guest list. Once the meeting is scheduled, all the meeting invitations will actually be sent from the user/organiser's mail account. That means, once you schedule a meeting, if you go and check your sent mail box, we can find all the meeting invites that were sent to all the guest. Figure: sent mail box with target mail So far

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains

Image
Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing. Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force. Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.   www.facebook.com   www.beta.facebook.com   m.facebook.com   m.beta.facebook.com   iphone.facebook.com   developers.facebook.com   lookaside.facebook.com Attack Scenario : Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by

Instagram - Account Compromise through Password brute forcing

Image
Instagram application is not validating the number of requests made to login into user account, which made it possible to brute force the password of any Instagram user Account. Issue reported to Facebook through their whitehat program, but unfortunately I am not the first one to do so. So the report was made duplicate and the issue is found to be fixed in few hours. While brute-forcing, the application throughs an error in the response body, but sets an authenticated session cookie. So, once we refresh, the browser uses the newly set cookie and establishes logged in browsing session. The following is a video demonstrating the same ( post brute force action, not the actual brute force).

Cross Site Scripting and URL redirection ...

This summary is not available. Please click here to view the post.

How I could Delete Instagram Captions and Comments that are not mine,.....

Image
Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB . Instagram Web and mobile Applications For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature. request without a signature Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected. So while testing with both the App and Browser together, I realised that there is an authorisation flaw in t

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Image
Hi friends, I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version 3.6.15.4 build 18023. The details are as follows. Directory Traversal       ( CVE : 2015-4461 ) Local File Inclusion      ( CVE : 2015-4462 ) Bypass for Blocked extension file uploads      ( CVE : 2015-4463 ) About the e-front:   E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site: "The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions ." The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the change log here Point of the Story:  

How I was able to send a mail with Your Email Id?

Image
How I was able to send a mail with Your Email Id? Is it possible? Yes. It is. If you are using Gmail, until yesterday, I can send email with your email id. Do u want to know how? Read my story then.... Hi Friends, This is Mohan Kallepalli, again with another bug in gmail ... Thanks to facebook, another day started with frustration. I will tell u that story another time. Anyway, with the frustration on facebook, i turned my focus to my favorite Google one more time. While I was going through the Gmail settings, thanks to my low speed internet, my browser suggested me to use "Basic HTML". Once i opened my settings in Basic HTML, i went to Accounts section and there i saw the functionality for adding another users email id to your " send email as " list. This functionality is protected by a verification code authentication mechanism. which means, Gmail will send a verification code (9digits) to the target email id and you need to enter that code in your v