SSD Advisory – Wget Arbitrary Commands Execution: A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. The commands are executed […]

Android Explorations: Decrypting Android M adopted storage: One of the new features Android M introduces is adoptable storage. This feature allows external storage devices such as SD cards or USB drives to be ‘adopted’ and used in the same manner as internal storage. What this means in practice is that both apps and their private […]

Zero-day flaw lets hackers tamper with your car through BMW portal: Researchers have disclosed zero-day vulnerabilities affecting the BMW web domain and ConnectedDrive portal which remain unpatched and open to attack. According to researchers from Vulnerability Labs, there are two main bugs both related to the BMW online service web app for ConnectedDrive, the connected […]

TP-LINK Loses Control of Two Device Configuration Domains – Slashdot: Security researcher Amitay Dan warns that tplinklogin.net, a domain through which TP-LINK router owners can configure their devices, is no longer owned by the company, and that this fact could be misused by malware peddlers. TP-LINK has confirmed that they no longer own the domain […]

Acunetix WVS 10 0Day SYSTEM remote command execution: Acunetix WVS 10 0Day SYSTEM remote command execution by Italian researcher Daniele Linguaglossa. This poc show the exploitation of 2 flaw affecting Acunetix WVS 10, by exploiting them is possibile to execute command on victim machine just by scanning it, and then using a second flaw is possibile […]

How the Pwnedlist Got Pwned: Indeed, after about a minute of instruction, I was able to replicate Hodges’ findings, successfully adding Apple.com to my watchlist. I also found I could add basically any resource I wanted. Although I verified that I could add top-level domains like “.com” and “.net,” I did not run these queries because […]

When a WordPress Plugin Goes Bad: Custom Content Type Manager (CCTM) is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types. Website owners find the classical “blog format” too restrictive, use the plugin to add custom elements to their posts. So far […]

Hackers tried and failed to steal a billion dollars from bank: Hackers stole $80 million from a bank, but it could have been a lot worse if they had just Googled the name of a company, according to Reuters. Thieves got inside servers of the Bangladesh Bank, stealing the credentials used to make online transfers. […]

How to bypass Apple Passcode in 9.1 and later: “An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the […]

There is a buffer overflow during ASN.1 decoding in NSS that allows an attacker to execute arbitrary code, time to upgrade Firefox! Read more on https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/.