Tag: Flaw

Posted on

WhatsApp security still broken…

“WhatsSpy Public” a tool for spying on WhatsApp users bypassing security settings

WhatsAppSpy

Social media is growing at a fast pace nowadays but with growing socialization the safety measures and privacy option should also be developed so that one’s information cannot be leaked at any endpoints. Social apps such as Facebook, WhatsApp, Hike, Instagram etc. are used by several people without knowing that how safe they really are or if their messages or personal information are not leaked.

The smartphone stand alone instant messaging App, WhatsApp is once again in the news due to a certain tool which can break its security features.  WhatsSpy Public tool which was recently released can give you status updates of any WhatsApp user, even if privacy options have been enabled.

WhatsSpy Public uses the web-based utility to trace the moments of a WhatsApp user and shows them in a dashboard with events being displayed in a timeline. The tool can be used to compare activities from one user to those of another for a more comfortable experience.

via WhatsSpy Public : WhatsApp status tool lets stalkers track you bypassing privacy settings.

Posted on

Remotely install and launch Android apps from the Play Store Vulnerability

Lucky for me… i am using a Blackberry Passport! 

Vulnerability Summary

Android Metasploit

Due to a lack of complete coverage for X-Frame-Options (XFO) support on Google’s Play Store web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play Store provided Android package (APK).

 

Affected Platforms

Many versions of Android 4.3 (Jelly Bean) and earlier ship with browsers with UXSS exposures, as discussed in this Rapid7 blog post. Users of these platforms may also have installed vulnerable aftermarket browsers, as discussed in this TrendLabs blog post. Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.

 

Simplified Demonstration of the XFO Gap

The following Javascript is sufficient to elicit a response from the play.google.com domain without an appropriate XFO header:

via Metasploit: R7-2015-02: Google Play Store X-Fra… | SecurityStreet.