LastPass Bug Lets Hackers to Steal Your Passwords


A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.

LastPass is a password manager that also available as a browser extension that automatically fills credentials for you.

All you need is to remember one master password to unlock all other passwords of your different online accounts, making it much easier for you to use unique passwords for different sites.

Hackers

Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass.

Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap,”

Once compromise a victim’s LastPass account, hackers would be able to access a treasure trove of passwords for victim’s other online services.

Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.

Coincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.

A specially crafted URL is enough to take complete control of its user’s accounts.

As Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault.

This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain.Therefore, by abusing form auto-fill functionality, a hacker could steal victim’s, let’s say, Facebook password, by sending the POC URL containing facebook.com to the victim.

This particular flaw has already been patched by the company within a day, and Karlsson has even been awarded with a bug bounty of $1,000.

Well, the issues in password managers are really worrying, but this doesn’t mean that you should stop using password managers. Password managers still encourage you to use unique and complex passwords for every single site.

In wake of the latest issue, users can avoid browser-based password managers and instead switch to offline versions, like KeePass.

Update: LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4.

Advertisements

How Website Backdoor Scripts Leverage the Pastebin Service


Compromising a website and then hosting malware on it has become an old tactic for hackers, and now they are trying their hands in compromising vast majority of users in a single stroke. Researchers have discovered that hackers are now using Pastebin to spread malicious backdoor code.
According to a blog post published yesterday by a senior malware researcher at Sucuri, Denis Sinegubko, the hackers are leveraging the weakness in older versions of the RevSlider, a popular and a premium WordPressplugin. The plugin comes packaged and bundled into the websites’ themes in such a way that many website owners don’t even know they have it.

Continue reading

How Google Check the Extension for End-To-End Email Encryption


Back in june this year, Google announced an alpha Google Chrome extension called End-to-End for sending and receiving emails securely, in wake of former NSA contractor Edward Snowden’s revelations about the global surveillance conducted by the government law-enforcements. Finally, the company has announced that it made the source code for its End-to-End Chrome extension open source via GitHub. Google is developing a user-friendly tool for individuals to implement the tough encryption standard known asPretty Good Privacy (PGP) in an attempt to fully encrypt people’s Gmail messages that can’t even be read by Google itself, nor anyone else other than the users exchanging the emails.

Continue reading

How Google App Engine have More than 30 Vulnerabilities


Security researchers have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine (GAE) that enables attackers to bypass critical security sandbox defenses. Google App Engine is Google’s PaaS (Platform as a Service) Cloud computing Platform for developing and hosting web applications in Googlemanaged data centers. GAE offers to run custom-built programs using a wide variety of popular languages and frameworks, out of which many are built on the Java environment.
The vulnerabilities was reported by Security Explorations, the same security research company that carried out multiple researches related to Java in past. The discovery was announced on the Full Disclosure security mailing list by Adam Gowdiak, founder and CEO of Security Explorations.

Continue reading

How CryptoPHP Backdoor Hijacks Servers with Malicious


Security researchers have discovered thousands of backdoored plugins and themes for the popular content management systems (CMS) that could be used by attackers to compromise web servers on a large scale. The Netherlands-based security firm Fox-IT has published a whitepaper revealing a new Backdoor “CryptoPHP. Security researchers have uncovered malicious plugins and themes for WordPress, Joomla andDrupal. However, there is a slight relief for Drupal users, as only themes are found to be infected from CryptoPHP backdoor.
In order to victimize site administrators, miscreants makes use of a simple social engineering trick. They often lured site admins to download pirated versions of commercial CMS plugins and themes for free. Once downloaded, the malicious theme or plugin included backdoor installed on the admins’ server.Once installed on a web server, the backdoor can be controlled by cyber criminals using various options such as command and control server (C&C) communication, email communication and manual control as well.

Continue reading

How OnionDuke APT Malware served through Tor Network


The malicious Russian Tor exit node, which was claimed to be patching binary files, is actually distributing a malware program to launch cyber-espionage attacks against European government agencies.The group behind the rogue Tor exit node had likely been infecting files for more than a year, causing victims to download and install a backdoor file that gave hackers full control of their systems.Last month Josh Pitts of Leviathan Security Group uncovered a malicious Tor exit node that wraps Windows executable files inside a second, malicious Windows executable. But when Artturi Lehtiö of F-Secure carried out an in-depth research, he found that the exit node was actually linked to the notorious Russian APT family MiniDuke. Continue reading

How Microsoft to Issue Security Patches & Other Updates


Microsoft has this time quite a big pile of security patches in its November 2014 Patch Tuesday, which will address almost 60 non-security updates for its Windows OS along with 16 security updates.The software giant released Advance Notification for 16 security bulletins, the most in more than three years, which will be addressed as of tomorrow, 11 November, 2014. Five of the bulletins have been marked as critical, nine are important in severity, while two were labeled moderate.”The updates will patch vulnerabilities in Microsoft’s various software including Internet Explorer (IE), Windows, Office, Exchange Server, SharePoint Server and the .NET framework as well.
Five critical vulnerabilities affect specific versions of Microsoft Windows, including Windows 7, Windows 8, Windows RT, and Windows Server. One of them also affects Internet Explorer versions 7 through 11 as well.Four of the five critical bugs are said to allow remote code execution, meaning that successful hackers could hijack a system and install malicious software’s on the victim’s machine, while the last could allow an attacker to gain administrative privilege on a vulnerable machine.