Rockstar Games: Facebook OAuth Code Theft through referer leakage on support.rockstargames.com

In this report, the researcher was able to discover a method to expose and exfiltrate Oauth tokens. This was done by injecting an tag containing a payload pointing to the attacker's own domain into replies of Support Community forum threads. Once this was done, users operating under a particular...

Missing Origin Validation

Overview Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not...

CVE-2018-14731

An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a...

CVE-2018-14731

An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a...

CVE-2018-14732

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

CVE-2018-14730

The CVE-2018-14730 entry concerns Browserify-HMR. Affected component: the WebSocket server used for Hot Module Replacement. Root cause: origin validation is missing, allowing any origin to receive HMR messages via ws://127.0.0.1:3123/ (or similar), enabling an attacker to access a developer’s cod...

CVE-2018-14731

The provided connected advisory for parcel-bundler identifies a concrete defect: versions before 1.10.0 of parcel-bundler’s WebSocket server lack origin validation for HMR, allowing a remote attacker to steal a developer’s source code via ws:// connections. This is caused by missing validation of...

CVE-2018-14730

An issue was discovered in Browserify-HMR. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:3123/...

CVE-2018-14731

An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR Hot Module Replacement. Anyone can receive the HMR message sent by the WebSocket server via a...

CVE-2018-14732

CVE-2018-14732 affects webpack-dev-server before 3.1.6. The WebSocket server used for Hot Module Replacement does not validate the request origin, allowing any origin (including ws://127.0.0.1:8080/) to receive HMR messages. This can enable an attacker to access a developer’s source code from a p...

PT-2018-12689 · Webpack · Webpack-Dev-Server

Name of the Vulnerable Software and Affected Versions: webpack-dev-server versions prior to 3.1.10 webpack-dev-server versions prior to 3.1.6 Description: An issue in the WebSocket server used for Hot Module Replacement HMR allows attackers to steal a developer's source code because the origin of...

Boozt Fashion AB: Application code is not obfuscated -- OWASP M9 (2016)

Description : Boost android app is not obfuscated which lead to view the source code of the app. Impact : Attackers can steal code and reuse it or sell it to create new application or create a malicious fake application based on the initial one. POC : Step 1 : First, I did the basic reverse...

Employee Stole 'Yandex Search Engine' Source Code, Tried to Sell it for Just $29K

A former employee of Russian search engine Yandex allegedly stole the source code and key algorithms for its search engine site and then attempted to sell them on the black market to fund his own startup. Russian publication Kommersant reports that Dmitry Korobov downloaded a type of software...

IBM WebSphere 5.0/5.1/6.0 Application Server Web Server Root JSP Source Code Disclosure Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/13160/info A remote JSP source disclosure vulnerability reportedly affects the IBM WebSphere Application Server. This issue is due to a failure of the application to properly handle various requests under certain...

Slack: Broken Authentication (including Slack OAuth bugs)

Hi, Hope you are doing good! Please have a look at the below report. Description: OAuth Framework Flaw Bypassing redirecturi validation An attacker to exploit this Flaw just needs to find a open redirection flaw in the site which is using Slack's OAuth for logins. Impact: A malicious user can ste...

Adobe Gets Hacked; Hackers Steal 2.9 million Adobe Customers accounts

Hackers broke into Adobe Systems' internal network on Thursday, stealing personal information on 2.9 million customers and the source code for several of Adobe's most popular products. This an absolutely massive blow to Adobe, especially their reputation. Adobe, which makes Photoshop and other...

Adobe Gets Hacked; Hackers Steal 2.9 million Adobe Customers accounts

Hackers broke into Adobe Systems’ internal network on Thursday, stealing personal information on 2.9 million customers and the source code for several of Adobe’s most popular products. This an absolutely massive blow to Adobe, especially their reputation. Adobe, which makes Photoshop and other...

Winnti Cyberespionage Campaign Targets Gaming Companies

A cybercrime gang has been running roughshod over the gaming industry for years using malware signed with valid digital certificates to steal source code and valuable in-game currency for a number of popular online games. Researchers at Kaspersky Lab this morning published a report on the Winnti...