Author: azeeadmin

A security researcher has found, reported, and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer’s account from some of the largest web hosting companies on the internet.

In some cases, clicking on a simple link would have been enough for Paulos Yibela, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers — Bluehost, Dreamhost, Hostgator, OVH, and iPage.

“All five had at least one serious vulnerability allowing a user account hijack,” he told TechCrunch, which he shared his findings with before going public.

The results of his vulnerability testing likely wouldn’t fill customers with much confidence. The bugs, now fixed — according to Yibela’s writeup, represent cases of aging infrastructure, complicated and sprawling web-based back-end systems, and company each with a massive user base —with the potential to go easily wrong.

In all, the bugs could have been used to target any number of the collective two millions domains under Endurance-owned Bluehost, Hostgator and iPage, Dreamhost’s one million domains and OVH’s four million domains — totaling some seven million domains.

Most of Yibela’s attacks were simple enough, but effective if combined with a targeted spearphishing campaign that targeted high-profile users. With domain registration data available for most large clients on registrar WHOIS databases, most of the attacks would have relied on sending the domain owner a malicious link by email and hoping that they click.

In the case of Bluehost, Yibela embedded malicious JavaScript on a page full of kittens or puppies, or anything he wants. As soon as a logged-in Bluehost user clicks on a link from an email or a tweet to that page, the hidden JavaScript will on the page, and inject the attacker’s own profile information into the victim’s account — assuming that the user is already logged in to Bluehost — by exploiting a cross-site request forgery (CSRF) flaw. That allows the attacker to modify data on the server from his malicious site, while the victim is none the wiser. By injecting their own information — including email address — the attacker can request a new password to that attacker’s email address, and takeover the account.

^{A demo of a simple hack, involving a one-click link that lets an attacker break in and takeover a user’s account. (Paulos Yibela/YouTube)}

Yibela also found that the attack could work in the form of a cross-site scripting (XSS) attack. He demonstrated how a single click on a malicious link could instantly swap out a Dreamhost account owner’s email address for one that an attacker uses, allowing Yibela — or an attacker — to send a password reset code to be sent to the email of the attacker, permitting an account takeover.

Hostgator, meanwhile, suffered from several vulnerabilities, including a similar CSRF flaw that tricked countermeasures to prevent a cross-site script from running, which allowed him to add, edit, or modify any data in the victim’s profile, such as an email address that could be used to reset the user’s password.

Yibela also found several other lesser-likely but still serious flaws, allowing man-in-the-middle attacks on a local network — such as a public Wi-Fi hotspot.

OVH, meanwhile, had a similar flaw that allowed Yibela to bypass its CSRF protections that allow him to add, change or edit user profile data. By using another vulnerability in its API, it could’ve allowed an attacker to fetch and read responses from OVH.

And, iPage, had a similar one-click flaw which could be easily exploited because the web host doesn’t require an old or current password when resetting the account’s login details. That made it possible for an attacker to craft a malicious web address which, when clicked, would reset the password to one of the attacker’s choosing — allowing them to login as that user.

Most of the web hosting companies also fixed other information and data leaking flaws, also discovered by Yibela.

All of the companies, besides OVH — which didn’t respond to a request for comment sent prior to publication — confirmed that the bugs were fixed.

Kristen Andrews, a spokesperson for Endurance, a web hosting company that owns Bluehost, Hostgator and iPage, said that the company has “taken steps to address and patch the potential vulnerabilities in question,” but, when asked, did not say if the bugs had been exploited or if customer accounts or data had been compromised.

Dreamhost, meanwhile, said it fixed the bugs “less than 48 hours later,” according to spokesperson Brett Dunst, and found no evidence to suggest anyone exploited the bug outside Yibelo’s testing.

“After a thorough review of our system access logs we can confirm that no customer accounts were affected and no customer data was compromised,” he said. “The exploit would have required a logged-in DreamHost user to click a specially-formatted malicious link to alter their own account’s contact information.”

It’s remarkable to think that of all the ways to break into a website, often — as Yibela showed — isn’t through any convoluted attack or busting firewalls. It’s simply through the front door of the site’s host, requiring little effort for the average hacker.

Schneider has fixed three vulnerabilities in one of its popular electric car charging stations, which security researchers said could have easily allowed an attacker to remotely take over the unit.

At its worst, an attacker can force a plugged-in vehicle to stop charging, rendering it useless in a “denial-of-service state,” an attack favored by some threat actors as it’s an effective way of forcing something to stop working.

The bugs were fixed with a software update that rolled out on September 2 shortly after the bugs were first disclosed, and limited details of the bugs were revealed in a supporting document on December 20. Now, a fuller picture of the vulnerabilities, found by New York-based security firm Positive Technologies, were released today — almost a month later.

Schneider’s EVLink charging stations come in all shapes and sizes — some for the garage wall and some at gas stations. It’s the charging stations at offices, hotels, shopping malls and parking garages that are vulnerable, said Positive.

At the center of Positive’s disclosure is Schneider’s EVLink Parking electric charging stations, one of several charging products that Schneider sells, and primarily marketed to apartment complexes, private parking area, offices and municipalities. These charging stations are, like others, designed for all-electric and plug-in hybrid electric vehicles — including Teslas, which have their own proprietary connector.

Because the EVLink Parking station can be connected to Schneider’s cloud with internet connectivity, either over a cell or a broadband connection, Positive said that the web-based user interface on the charging unit can be remotely accessed by anyone and easily send commands to the charging station — even while it’s in use.

“A hacker can stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable,” said Positive.

“For electric car drivers, this means not being able to use their vehicles since they cannot be charged,” it said.

Positive didn’t say what the since-removed password was, but, given the curiosity, we asked and will update when we hear back.

The researchers Vladimir Kononovich and Vyacheslav Moskvin also found two other bugs that gives an attacker full access over a device — a code injection flaw and an SQL injection vulnerability. Both were fixed in the same software update.

Schneider did not respond to a request for comment. If that changes, we’ll update.

Additional reporting: Kirsten Korosec.

As people increasingly use their mobile phones and other devices to shop, it has become imperative for vendors to improve the shopping experience, making it as simple as possible, given the small footprint. One way to do that is using artificial intelligence. Today, Salesforce announced some AI-enhanced APIs designed to keep us engaged as shoppers.

For starters, the company wants to keep you shopping. That means providing an intelligent recommendation engine. If you searched for a particular jacket, you might like these similar styles, or this scarf and gloves. That’s fairly basic as shopping experiences go, but Salesforce didn’t stop there. It’s letting developers embed this ability to recommend products in any app whether that’s maps, social or mobile.

That means shopping recommendations could pop up anywhere developers think it makes sense like on your maps app. Whether consumers see this as a positive thing, Salesforce says when you add intelligence to the shopping experience, it increases sales anywhere from 7-16 percent, so however you feel about it, it seems to be working.

The company also wants to make it simple to shop. Instead of entering a long faceted search as has been the traditional way of shopping in the past — footwear, men’s, sneakers, red — you can take a picture of a sneaker (or anything you like) and the visual search algorithm should recognize it and make recommendations based on that picture. It reduces data entry for users, which is typically a pain on the mobile device, even if it has been simplified by checkboxes.

Salesforce has also made inventory availability as a service, allowing shoppers to know exactly where the item they want is available in the world. If they want to pick up in-store that day, it shows where the store is on a map and could even embed that into your ride-sharing app to indicate exactly where you want to go. The idea is to create this seamless experience between consumer desire and purchase.

Finally, Salesforce has added some goodies to make developers happy too including the ability to browse the Salesforce API library and find the ones that make most sense for what they are creating. This includes code snippets to get started. It may not seem like a big deal, but as companies the size of Salesforce increase their API capabilities (especially with the Mulesoft acquisition), it’s harder to know what’s available. The company has also created a sandboxing capability to let developers experiment and build capabilities with these APIs in a safe way.

The basis of Commerce Cloud is Demandware, the company Salesforce acquired two years ago for $2.8 billion. Salesforce’s intelligence platform is called Einstein. In spite of its attempt to personify the technology, it’s really about bringing artificial intelligence across the Salesforce platform of products, as it has with today’s API announcements.

As we continue the quest for better and more efficient sources of energy to link up our connected world, companies that are developing new power solutions are attracting attention.

Today, a startup called Wiliot, which makes semiconductors that harness ambient nanowatts of electromagnetic energy from cellular, WiFi and Bluetooth networks to work without batteries or other traditional wired power sources, announced that it has closed a $30 million round of funding.

The backers are a notable mix of strategic and financial names: they include Amazon, Avery Dennison, Samsung and previous investors Norwest Venture Partners, 83North Venture Capital, Grove Venture Partners, Qualcomm Ventures, and M Ventures. Another “retail giant” is also involved in this round but the name is not being disclosed.

Sources close to the company tell me the valuation of it is $120 million post-money. It has raised $50 million to date.

Co-headquartered in San Diego and Israel, it’s important to note that the startup has yet to manufacture or commercialise its chips, which are being publicly unveiled for the first time today.

(I’ve seen a demo of them, and they definitely appear to work: Wiliot chips pasted to small pieces of paper, and supported by clothes pins arranged on a desk but linked up no way to anything else, were hooked up to small buttons and other items. When you press a button, for example, the chip transmits that information to the cloud, where you can in turn see the activity on a dashboard.)

The plan, according to co-founder and CEO Tal Tamir, will be to use this latest Series B funding to work on that next stage of the business: figuring out how to produce its chips at scale and at a competitive price point versus other solutions like RFID tags, as well as secure its first customers.

There are potentially a number of applications where you might imagine a battery-free chip and sensor — today the Wiliot chip can measure temperature, location, air pressure, and can transmit data back to the cloud — could come in handy, such as in manufacturing, logistics, and tagging and providing data about anything that isn’t inherently an electronic device, expanding the universe of what can be covered in an internet-of-things network.

But Steve Statler, Wiliot’s SVP of marketing and business development, said that likely first customers will be in the apparel industry, where the startup’s chips could be embedded on the care labels both to help track items of clothes from manufacture to sale, and subsequently to provide services to the people who buy those items.

“That can cover anything from washing instructions to helping provide wardrobing recommendations,” he noted. That will, of course, depend on whether the customer opts in for such assistance and/or doesn’t cut the label off the clothes.

Wiliot’s chip has yet to roll out commercially, but the company is banking on its investors to help it get there.

Avery Dennison is one of the world’s biggest label makers and producers of RFID tags; Samsung (and Qualcomm) have a huge presence in the global semiconductor market; and Amazon is apparently most interested by way of its cloud services business AWS — the Wiliot chip architecture hinges on most of the computing happening in the cloud — but don’t forget that Amazon has also been making some interesting moves into apparel and AI-based fashion assistance itself.

“We think that at some point in future every item will have its own identity,” said Francisco Melo, VP & GM, Global RFID, in an interview, who points out that Wiliot’s primary way of transmitting information out — by way of Bluetooth — makes the information “readable” by the most basic of devices these days, the smartphone. “How do we take that digital identity to help consumers at the end of line to know what they should or could do with a product? There are a number of use cases that you can think of and trigger with Bluetooth that you couldn’t do with RFID.”

Another boost to the company is the track record of its founders. Tamir and co-founders Yaron Elboim and Alon Yehevkely, as well as others on the founding team of Wiliot, had previously founded and worked at another startup, Wilocity, a maker of 60 GHz wireless chipsets, which was acquired by Qualcomm for about $400 million. Before that the three co-founders were together at Intel, speaking to a strong track record of chip-making.

Ambient energy harnessing has to date focused on a variety of natural, non-human produced sources such as solar energy, geothermal energy, wind, waves, river currents and so on.

A newer iteration on that has been tapping into the vast amount of electromagnetic energy that gets produced through existing wireless services, potentially a much bigger and readily available source in areas where wireless services already exist, and that is where Wiliot plays.

Of course, this will mean that Wiliot’s chips will not work in the most remote of areas where there is no connectivity at all. That is one of the challenges that the startup has yet to tackle. Another is, of course, more energy efficiency on devices themselves to operate on nanowatts rather than watts of power.

But ultimately, Wiliot and others in the same area like France’s Sigfox are taking the first steps that could open the door to more sophisticated ambient power solutions.

“This is just the tip of the iceberg,” Tamir said. “We think many edge devices will come that will harvest radio frequency energy. But the problem is not what you harvest but how much you need. If you get nanowatts of energy and a phone consumes 3-5 watts when active, you can see where this has to go.”

Immersive Labs, a cyber security skills platform founded by James Hadley, who used to be a researcher at GCHQ, has raised $8 million in Series A funding. Leading the round is Goldman Sachs, with participation from a number of unnamed private investors.

Operating in the cyber security training space, Immersive Labs helps enterprise IT and other cyber security teams acquire the latest security skills by combining up to date threat data with what is describes as “gamified” learning. This sees the startup use real-time feeds of the latest attack techniques, hacker psychology and technological vulnerabilities to quickly create “cyber wargames” for IT and security teams to learn from.

The idea is that the platform can up-skill people within hours of a threat emerging, in addition to being used more generally to help identify and remedy less immediate weaknesses in a company’s cyber security team.

“First, there is a big picture problem that the world is crying out for cyber security talent and is currently struggling to fill that gap,” Immersive Labs founder and CEO James Hadley tells me. “Secondly, the way that cyber skills are being taught is massively obsolete and puts the companies they work for at risk. On many occasions, what is taught is out of date before people leave the classroom”.

The inspiration for Immersive Labs was born out of Hadley’s experience running a summer school at GCHQ. It was while running the course that he came to the realisation that “passive classroom-based learning doesn’t suit the people, or pace, of cyber security”.

“Not only does the content date quickly, but the lack of challenge is just not enough for the curious and creative minds required to be good in cyber. You cant dictate, they have to teach themselves through exploration,” he says.

“We let technical and security teams learn cyber skills like an attacker, allowing them to keep pace by combining breaking threat data with short browser-based wargames. This takes the form of a series of stories that encourage people to research, analyse and build their own attacks and solutions. Whilst doing this, they learn in a fun and compelling way”.

To that end, Immersive Labs says its Series A funding will be used to grow its offering for enterprise IT and cyber security teams. This will include investing in headcount and infrastructure to develop the platform further, and to support the company’s go-to-market strategy. Current clients include global corporates with complex cyber security needs, such as BAE Systems, Sophos and Grant Thornton.

Instagram has found something it likes more than a Kardashian-Jenner family baby, and it’s an egg.

This weekend, a photo of a plain egg became the most-liked photo on Instagram, the social app owned by Facebook with over one billion users that’s reflective of internet culture.

The photo, which you can see below in its full glory, currently has more than 23 million likes at the time of writing. That has seen it surpass a February 18 photo from Kylie Jenner — the sister of Kim Kardashian — which announced the birth of her baby with rapper Travis Scott and has 18.2 million likes.

Unlike Jenner, who has 21 million Instagram followers, the egg account — “world_record_egg” — is a newcomer that seems to have been created in early January. Nothing is known of its ownership, although it now has 2.4 million followers which could — and I can’t believe I’m writing this… — make it an influencer account.

While much can be said about Jenner’s rise to fame, she’s a pretty successful entrepreneur. Her two-year-old ‘Kylie Cosmetics’ brand is estimated to gross over $600 million in annual revenue. While it is funny that a photo of an egg can take the record on Instagram there might be more to it. Jenner’s company trades on her brand, the egg could be a rejection or protest of today’s reality TV culture… which is best embodied by the Kardashians and, in particular, Kylie Jenner. That certainly seems the case looking at the splurge in new and egg-related comments on Jenner’s birth post from last year.

Maybe that’s wishful thinking and this is just another internet phenomenon that can’t be explained. It could simply be a joke that blew up, but don’t discount the potential that this is a stunt from a company launching a new product or wanting to make a splash.

Showing that she might have a sense of humor, 21-year-old Jenner acknowledged the new record in a video of her smashing an egg.

This is the second social media record set this year after Twitter got a new most-retweeted tweet — however, the roles were very much different.

Yusaku Maezawa, a Japanese billionaire who is paying Elon Musk’s SpaceX for a trip to the moon, saw a tweet that offered nearly $1 million in prize money for retweets surpass a true internet phenomenon, U.S. teen Carter Wilkerson. Back in April 2017, Wilkerson took to Twitter to plead for free chicken nuggets; his original tweet now has around 3.6 million retweets.

Samsung will launch its new lower-priced Galaxy M series in India before the smartphones roll out globally. Asim Warsi, senior vice president of Samsung India’s smartphone business, told Reuters that three devices will be available through its website and Amazon India at the end of January and are intended to help the company double online sales.

Samsung is currently trying to recover its lead in India, the world’s second-largest smartphone market behind China, after losing it to Xiaomi at the end of 2017, when Xiaomi’s sales in India overtook Samsung for the first time, according to data from both Canalys and Counterpoint.

Xiaomi’s budget Redmi series gave it an advantage since Samsung had a dearth of competitors in the same price bracket, but analysts noted the Korean electronics giant maintains an edge in terms of R&D and supply chain expertise. Samsung leaned into those strengths last year, opening what it describes as the world’s largest mobile phone factory in Noida, just outside of New Delhi.

Specs about the three Galaxy M smartphones emerged last month, with details appearing on platform benchmark Geekbench about devices called M10, M20 and M30, the latter of which may be powered by an Exynos 7885 chip with 4GB ram.

Warsi told Reuters that “the M series has been built around and incepted around Indian millennial consumers.” The price range of Indian-first smartphones will be from less than 10,000 rupees (about $142) to 20,000 rupees. TechCrunch has emailed Samsung for more information about the new phones.

The company will debut the latest version of its flagship smartphone, the Galaxy S10, in San Francisco on Feb. 20.

Apple is finally launching HomePod in China, but the timing is tricky as the premium device will have to wrestle with local competitors and a slowing economy. The firm said over the weekend that its smart speaker will be available in Mainland China and Hong Kong starting January 18, adding to a list of countries where it has entered including US, UK, Australia, Canada, France, Germany, Mexico and Spain.

The Amazon Echo competitor, which launched in mid-2017, is already available to Chinese buyers through third-party channels like “daigou”, or shopping agents who bring overseas products into China. What separates the new model is that it supports Mandarin, the official language on Mainland China and Cantonese, which is spoken in Hong Kong and China’s most populated province Guangdong. Previously, Chinese-speaking users would have to converse with HomePod in English.

A main selling point of HomePod is its focus on music, so the China version comes with Airplay support of a range of local music streaming apps like Tencent’s QQ Music for Mainland users and JOOX which is more popular in Hong Kong.

In its home market, HomePod remains an underdog with 5 percent market share while Amazon Echo and Google Home command 66 percent and 29 percent, respectively.

The question is how many Chinese shoppers are willing to shell out 2799 yuan, or $414, for the Siri-controlled speaker. A host of much cheaper options from local giants are available, such as Alibaba’s Tmall Genie, Xiaomi’s Mi AI and several models from Baidu.

Analysts have cited relatively high price — on top of a softening economy — as a major culprit for iPhones’ low sales in China, which have prompted Apple to lower its quarterly revenue forecast for the first time in over a decade and Chinese retailers to slash iPhone prices. It remains to see how Chinese shoppers react to HomePod, which is already about 17 percent higher than its normal $349 price in the US.

Winter is coming this spring.

HBO is finally revealing when season 8 of Game of Thrones will begin. On Sunday, HBO released a new teaser for Games of Thrones that announced the first episode will air April 14. The season 8 teaser, called Crypts of Winterfell, was released on YouTube and played before the third season premiere of True Detective.

The teaser depicts Jon Snow, Sansa and Arya Stark walking through a crypt that includes three statutes bearing their likeness. TechCrunch won’t spoil what comes next. Watch below.

Fans of Games of Thrones have been waiting more than a year for the HBO series based on George R. R. Martin novels to return. Last January, HBO broke it to dedicated fans that Game of Thrones wouldn’t be returning until 2019.

The season seven finale, “The Dragon and the Wolf,” aired on August 27, 2017.

HBO didn’t provide any other details about season 8, including if episodes would be longer than 60 minutes. HBO has previously said the final season would have six episodes.

Cadillac revealed Sunday what will likely be the first electric vehicle in the luxury brand’s portfolio. And surprise, it’s a crossover.

The images of the full-size crossover SUV, which was unveiled during a debut party for the 2020 Cadillac XT6 in Detroit, kicks off a transformation of GM’s luxury brand. On Friday, GM announced plans to turn Cadillac into its lead electric vehicle brand in a bid to compete against Tesla as well as a host of other automakers bringing EVs onto the market.

Not much is known about this crossover yet. Cadillac said the name of the electric crossover and additional details about the vehicle will be revealed closer to launch.

This vehicle will not be based on the electric architecture found on GM’s Chevrolet models, the Volt or the Bolt EV. GM is starting with a clean slate and developing a new battery electric architecture, which Cadillac will be the first to use.

The most advanced components within the platform are the drive units and battery cells, which will be used throughout GM vehicle lineups in different countries, according to the automaker. The EVs can be configured in front-, rear- or all-wheel drive, and the output of their battery systems will be adjustable based on vehicle and customer needs, GM said.

The battery system also will be adjustable, based on vehicle and customer requirements.

This appears to be the beginning of an  aggressive product acceleration for Cadillac. Fresh off of the XT6 crossover reveal, Cadillac also hinted at both a future Escalade and an upcoming performance sedan. Cadillac said it plans to introduce new models at the rate of roughly one every six months through 2021.