Information security: latest news of the week April 14, 2014

Posted: April 15, 2014 in IT Security News
Tags: , , , , ,

Security NewsA critical vulnerability in Google allows access to the Google’s production servers

A Team of researchers discovered a critical XML External Entity (XXE) vulnerability on Google server that allows users to customize their toolbars with new buttons by uploading XML files containing layout properties. Sounds ridiculous but has been proven by the security researchers from Detectify.

Curious that the researchers used Google dorking to search for vulnerabilities within unpopular applications managed by Google, The Google Toolbar button gallery was the application that most of all attracted their attention.

The vulnerability resides in the Toolbar Button Gallery (as shown). The team of researchers found a loophole after they noticed that Google Toolbar Button Gallery allows users to customize their toolbars with new buttons.

There is also a happy ending, after contacted Google the researchers were rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features.

How we got read access on Google’s production servers – See more at: http://blog.detectify.com/post/82370846588/how-we-got-read-access-on-googles-production-servers

FireEye mobile security: a new Android security issue

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user.

On the latest Android 4.4.2 system, if an app requests both dangerous permissions and normal permissions, Android only displays the dangerous permissions. If an app requests only normal permissions, Android doesn’t display them to the user.

Dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities”. In contrast, normal permissions are automatically granted at installation, “without asking for the user’s explicit approval”.

Occupy Your Icons Silently on Android – See more at: http://www.fireeye.com/blog/technical/2014/04/occupy_your_icons_silently_on_android.html

Heartbleed-vulnerability allows steal SSL secret keys of web-servers

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

In short, the Heartbleed vulnerability allows attackers to repeatedly access 64K blocks of memory by sending a specially crafted packet to a server running a vulnerable version of OpenSSL. Because an attacker can’t specify what kind of data to obtain from the computer’s memory or reliably get the same kind of information each time, the attack depends on luck and timing.

To confirm this, CloudFlare researchers created a special vulnerable web-site.

The Results of the CloudFlare Challenge – See more at: http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s