Q Brainstorm Software hacked and this endangers their customers

Recently I was making research on hacked websites of hotels. And step by step I reached out the website of Q Brainstorm Software company. Q Brainstorm Software is an IT company from India, established in 2004. This company offer an extensive range of various services based on several programming languages, website development, mobile app development and even SEO services. Briefly, “We do everything”. But they attracted my attention not because of their services, but because of their products.

Q Brainstorm Software products

Looking at the product page, I see the list of several products:

  • Hotel Desktop – Available in three different versions, ultimate hotel management solution for small and medium accommodation facilities.
  • Hotel web – Hotel Pro desktop version can be further enhanced with a web module where you can manage your reservations and view the calendar using just a web browser.
  • Hotel Mobile – Hotel mobile app is a comfortable way of managing your reservations from any place in the world. Only a mobile phone or tablet is required.
  • Channel Manager – Hotel can be synchronised with the most popular channel managers in the world such as YieldPlanet, Octorate or WuBook.
  • Online Booking Engine – Allow customers to make reservations directly through your website with a modern, fully customizable online booking engine.
  • Advanced Functionalities – Accounting, statistics, logbook, customizable documents, automated emails, rate plans, services, meals management and more!

These products are business oriented, which is a little frightening to me and I’ll tell you why.

If you’re looking for a software to power up your business one of the primary requirements is the safety of the software. The vulnerable software may endanger business in various ways. Now let’s think about whether you can trust your business to the company and its products if the website of the company itself is hacked? Yes! Hacked. Continue reading Q Brainstorm Software hacked and this endangers their customers

Make some calculations before adding a Coinhive mining script to your site

Coinhive XMR cryptocurrency mining JavaScript still attracts some website owners. Also, it’s a quite popular tool to exploit hacked websites for crypto mining purpose. However, there are several problems, and I think I will destroy any remains of excitement about this web-based crypto mining euphoria. There are too many technical problems, and less money than most of you thought there are. Let’s make a small and quick analysis of Coinhive performance and technical difficulties.

Coinhive actively blocked by many security programs

There are two versions of this particular mining tool. Coinhive version could start mining instantly without any notification, and the AuthedMine requires opt-in from the end-user. The main difference between Coinhive and AuthedMine is that Coinhive immediately blocked by modern antivirus and antimalware software or ad blockers, AuthedMine is not. Now that’s the first technical problem. If you’re using the Coinhive script, you’ll lose a large piece of potential hashing power due to antiviruses and other software products that will block this script instantly. On the other hand, using an AuthedMine requires opt-in action and trust me, most of the website visitors will not permit execution of this script. As you can see both of these two script versions can’t guarantee you, that you’ll gather all the possible hashing power from your website visitors. Continue reading Make some calculations before adding a Coinhive mining script to your site

ThreatPress report of WordPress vulnerabilities for the 2017 year

ThreatPress published a summary of all WordPress vulnerabilities detected in the 2017 year. This beautiful info-graphic (below) gives statistical information collected from ThreatPress database of WordPress vulnerabilities and data available on such open sources like WordPress.org website.

All of the WordPress plugins that were marked as vulnerable in the 2017 year have more than seventeen million active installs. Just imagine how many sites were at potential risk. I think we’re talking about a number that exceeds five million websites. Five million!!! OK, let’s see what more do we have on this infographic.

ThreatPress 2017 year report in numbers

  • 221 vulnerability added to the database of WordPress vulnerabilities compared to the 234 vulnerabilities in the 2016 year.
  • 202 plugins were identified as vulnerable, 153 of them hosted on WordPress.org plugin repository.
  • 5 WordPress themes were identified as vulnerable, this number could be much bigger, but it’s hard to access and check themes from premium repositories.
  • The most common vulnerability type was a Cross-Site Scripting (XSS) with a SQL Injection (SQLi) on a second place and Broken Access Control on the third.
  • Other quite common vulnerability types in the 2017 year were Cross-Site Request Forgery (CSRF), Arbitrary File Upload, BYPASS, Arbitrary File Download, PHP Object Injection and Local File Inclusion.
  • Top five vulnerable plugins in the 2017 year (by the number of active installs according to WordPress.org data) were Yoast SEO, WooCommerce, Smush Image Compression and Optimisation, Duplicator and Loginizer.
  • There were 8 WordPress security-related releases in the 2017 year.

Continue reading ThreatPress report of WordPress vulnerabilities for the 2017 year

One third of all websites may be under the DoS attack at any time

Houston, we have a problem! A serious problem that theoretically can affect one-third of all websites on the Internet. Recently Israeli security researcher Barak Tawily found a WordPress vulnerability that can lead to a massive DoS attack. DoS attack is a type of cyber-attack when an attacker drains network or server resources by flooding it with an enormous amount of requests. Every request needs some resources, but if you’re capable of making a lot of these requests or you find a way to drain more resources with fewer requests you’ll finally make the network or server inaccessible for the time of the attack.

Do not confuse DoS attacks with DDoS attacks, DoS (denial-of-service attack) attacks run from a single source of requests and DDoS (distributed denial-of-service attack) need more than one request sources. In this case, we are talking about attacks that are possible to execute from a single request source (for example one computer). The success of a DoS attack is directly dependent on how many requests a hacker can generate and how much it consumes server or network resources. Usually, DDoS attacks are more efficient than DoS attacks. But in this case, a single attacker could make a significant load on the server and create the real denial-of-service situation.

Continue reading One third of all websites may be under the DoS attack at any time

Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

Email Subscribers & Newsletters WordPress plugin developed by Icegram has more than one hundred thousands active installs. Email Subscribers & Newsletters plugin is a complete newsletter solution, and you can collect leads, send automated notification emails, create and send newsletters.

Email Subscribers & Newsletters WordPress is an excellent plugin with a lot of features. However today I don’t want to discuss all the features of this plugin, I want to talk about the vulnerability that was found by ThreatPress Security company in this piece of software.

Email Subscribers & Newsletters plugin vulnerability

Recently we (ThreatPress Security) found a vulnerability in Email Subscribers & Newsletters plugin that could be easily exploited by anyone. I mean, by anyone. And the result of the successful attack is a complete list of subscribers.

Continue reading Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

Exploitation of hacked websites for cryptocurrency mining gains popularity

Exploitation of hacked websites for cryptocurrency mining is a new thing, and it gets more popular day by day. Hacking websites for fun or other reasons like spamming, other exploitation is a thing of the past. All previous exploitation methods of hacked sites are outdated, have low-profit margins (except stealing of CC credentials and similar data) and incompatible with the modern trends. Now everyone wants cryptocurrencies, everyone obsessed about crypto money and everyone is ready to do anything to get it.

Coinhive JavaScript miner for the Monero Blockchain

Coinhive offers a JavaScript that anyone can easily embed to websites. This Javascript is a Monero Blockchain miner that uses the CPU power of website visitor PC for predefined calculations. You turn your PC into cryptocurrency mining machine when you visit the website equipped with Coinhive JavaScript mining.

Continue reading Exploitation of hacked websites for cryptocurrency mining gains popularity

phpMyAdmin CSRF vulnerability is dangerous but hard to exploit

phpMyAdmin cross-site request forgery (CSRF) vulnerability found by an Indian security researcher Ashutosh Barot caused a lot of noise. It’s evident that many website owners began a heated debate on this issue since phpMyAdmin is one of the most popular tools for managing MySQL databases. I find this discussion somewhat surprising because most speakers do not realize what kind of conditions needed to make it possible to exploit this vulnerability. My modest opinion is that this security issue is more dangerous theoretically than in practice. Let’s see why I think so.

phpMyAdmin CSRF vulnerability exploitation mechanism

Attacks on CSRF vulnerabilities are quite primitive. An attacker prepares specially crafted link with some parameters or commands. This link will make some unattended actions if clicked by the administrator or any logged user with sufficient rights of the targeted system. Ashutosh Barot published a short Youtube video which shows how he managed to drop one table from the database with a single click on the link. An attack is possible due to the unprotected GET request operation.

Continue reading phpMyAdmin CSRF vulnerability is dangerous but hard to exploit

Bitcoin prices breaking all records – my theory why it is happening

Bitcoin prices are breaking all records with a peak price of 19182 USD. I have a theory what could cause this significant price jump in the short term. First of all, I would like to ask not to rely on my opinion and predictions if you’re investing in Bitcoin. It’s just my presumption, nothing more. Also, I guess, Bitcoin prices will drop in the middle of February twice or even more. So let’s look at some facts that I used for this prediction and why the prices unexpectedly jumped to the 19k USD mark.

An act of countermeasures

I think you probably heard about various sanctions against Russian companies and individuals that were involved in the Crimea occupation. There were several packages of sanctions addressed to all companies, banks, and individuals related to the Kremlin regime and its special operations in occupied Crimea and frozen conflict zone in eastern Ukraine. One more reason was the MH17 catastrophe. But on July 24, 2017, US government introduced a new document that has one interesting section that says:

Continue reading Bitcoin prices breaking all records – my theory why it is happening