Dec 20 2022

Microsoft shares details for a Gatekeeper Bypass bug in Apple macOS

Category: Bug Bounty,MalwareDISC @ 11:02 am

Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.

Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

The flaw was discovered on July 27, 2022, by Jonathan Bar Or from Microsoft, it is a logic issue that was addressed with improved checks.

“On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.

Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.

The experts pointed out that Apple’s Lockdown Mode introduced in July does not prevent the exploitation of the Achilles bug.

The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from setting the quarantine extended attribute.

Below is the POC developed by Microsoft:

  1. Create a fake directory structure with an arbitrary icon and payload.
  2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
  3. Create an archive with the application alongside its AppleDouble file and host it on a web server.
Gatekeeper bypass.png

while video POC is available here.

Tags: Gatekeeper Bypass bug


Sep 28 2022

5 Books Every API Hacker Should Read

If you’re into web API security testing, then you know that API hacking books are a valuable resource. They can teach you new things, introduce you to new concepts around breaking web application programming and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 5 essential books for any API hacker!

API security and you

So before I go through the list of book recommendations, I want to preface that if you are a security researcher who wants to conduct web API security testing, the reality is it’s just as important to focus on the web applications themselves.

As such, a crash course in web hacking fundamentals never hurts. So some of my recommendations may seem more focused on that than on breaking web application programming interfaces.

You may also notice that I also recommend a few books that focus on bounty programs and make it possible to make a living as you break APIs.

The point is, regardless of where you are in your API hacking career, these books can help. I have organized them in such a way that if you can’t afford to buy them all just yet, start from the top and work your way down.

Book #1 : Hacking APIs: Breaking Web Application Programming Interfaces

Link: Hacking APIs: Breaking Web Application Programming Interfaces

Book Review

This is one of the few books that is actually dedicated to API hacking.

This book is a great resource for anyone who wants to learn more about API security and how to hack into web applications. It provides in-depth information on how to break through various types of APIs, as well as tips on how to stay ahead of the curve in this rapidly changing field. Corey also shares his own personal experiences with API hacking, which makes the content even more valuable. If you’re interested in learning more about API security and want to start from the basics, then this is the perfect book for you!

Book #2 : The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

Link: The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

Book Review

This book is a tomb of information. It’s the oldest book on the list and by far the largest.

The Web Application Hacker’s Handbook is an essential read for anyone looking to understand how web application vulnerabilities are discovered and exploited. The book is filled with in-depth technical information and real-world examples that will help you understand the inner workings of web applications and how to protect them from potential attacks.

One of the best features of this book is the “Hands-On” sections, which provide you with step-by-step instructions on how to find and exploit various vulnerabilities. This makes it an ideal resource for both beginner and experienced hackers alike.

If you’re looking to beef up your skills in web application security, then The Web Application Hacker’s Handbook is a must-read!

Book #3 : Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Link: Web Application Security: Exploitation and Countermeasures for Modern Web Applications 1st Edition

Book Review

Sometimes before focusing on offense, we have to know defensive tactics.

This book provides in-depth coverage of all the major areas of web application security, from vulnerabilities and exploits to countermeasures and defense strategies. Written by security expert Andrew Hoffman, this book is packed with real-world examples and step-by-step instructions that will help you understand how developers protect their web applications from potential attacks.

If you’re serious about web application security, then this is the perfect book for you!

Book #4 : Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities

Link: Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities

Book Review

If you are looking at being an independent security researcher focused on web API security testing, finding high payout API bugs may be important.

Bug Bounty Bootcamp is a guide to becoming a bug bounty hunter. The book covers the basics of hunting for bugs, including how to find and report them. It also includes a number of case studies of successful bug bounty hunting, detailing methods and strategies.

In chapter 24 of the Expert Techniques section, Vicki goes deeper into discussing multiple API attack techniques.

Overall, Bug Bounty Bootcamp is an informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting.

Book #5 : Real-World Bug Hunting: A Field Guide to Web Hacking

Link: Real-World Bug Hunting: A Field Guide to Web Hacking

Book Review

“Real-World Bug Hunting” is a brilliant resource for anyone who aspires to be a professional bug hunter. The book is written by Peter Yaworski, who is himself a professional bug hunter.

He begins by delving into the mindset of a bug hunter – what drives them to find vulnerabilities in software and systems? He then provides an overview of the bug hunting process, from identifying potential targets to writing up a report. The bulk of the book is devoted to teaching readers how to find and exploit common web application vulnerabilities.

Yaworski provides clear and concise explanations of each vulnerability, along with examples of real-world exploits. He also offers advice on how to avoid getting caught by security teams and how to maximize the value of your findings. “Real-World Bug Hunting” is an essential read for anyone who wants to make a career out of finding bugs.

Conclusion

These five books are essential readings for anyone interested in hacking APIs. They provide detailed information on how to find and exploit vulnerabilities, as well as defensive tactics and strategies. If you want to be a successful API bug bounty hunter, then these books will also give you the tools and techniques you need to get started.

InfoSec Books

So You Want to Write an Infosec Book? | Chris Sanders

Tags: API books, InfoSec books


Aug 15 2022

Patch Madness: Vendor Bug Advisories Are Broken, So Broken

Category: Bug Bounty,Information Security,Vendor AssessmentDISC @ 12:56 pm

Dustin Childs and Brian Gorenc of ZDI take the opportunity at Black Hat USA to break down the many vulnerability disclosure issues making patch prioritization a nightmare scenario for many orgs.

Image of a bug spewing out code

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”

The Trouble With CVSS Scores & Patching Priority

Tags: Vendor Bug Advisories


Jan 31 2022

Expert earned $100,500 bounty to hack Apple MacBook webcam and microphone

Category: Bug BountyDISC @ 10:26 am

Apple last year addressed multiple macOS vulnerabilities discovered by the security researcher Ryan Pickren in the Safari browser that could allow threat actors to access users’ online accounts, microphone, and webcam.

Pickren received a total of $100,500 payouts for these issues as part of Apple’s bug bounty program.

The security researcher chained the vulnerabilities in iCloud Sharing and Safari 15 to gain unauthorized camera access. An attacker can trick victims into clicking “open” on a popup from my website in order to hijack multimedia permissions and gain full access to every website ever visited by the victim.

The expert pointed out that an attacker could exploit this attack chain to turn the user’s camera, and also to hack their iCloud, PayPal, Facebook, Gmail, and other accounts.

“My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click “open” on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too.” reads the post published by the expert. “This research resulted in 4 0day bugs (

, and two without CVEs), 2 of which were used in the camera hack. I reported this chain to Apple and was awarded $100,500 as a bounty.”

The bugs reside in the iCloud file-sharing mechanism named ShareBear. The iCloud Sharing Application ShareBear prompts users only upon attempting to open a shared document for the first time. Successive actions will no more display the prompt again once the users have accepted to open the file. Pickren successfully exploited this behavior by altering the file’s content and file extension after user agree to open it.

The CVE-2021-30861 is a logic issue in WebKit that could allow a malicious application to bypass Gatekeeper checks. The flaw was reported by Wojciech Reguła (@_r3ggi) and Ryan Pickren (ryanpickren.com). The second bug, tracked as CVE-2021-30975, resides in the Script Editor and could allow a malicious OSAX scripting addition to bypass Gatekeeper checks and circumvent sandbox restrictions.

“Once the user clicks Open, the file is downloaded onto the victim’s machine at the location /Users/<user>/Library/Mobile Documents/com~apple~CloudDocs then automatically opened via Launch Services. Then the user will never see this prompt again. From that point forward, ShareBear (and thus any website in Safari) will have the ability to automatically launch this file.” continues the post.”The truly problematic part of this agreement is that the file can be changed by anybody with write access to it. For example, the owner of the file could change the entire byte content and file extension after you agree to open it. ShareBear will then download and update the file on the victim’s machine without any user interaction or notification.”

A bug bounty hunting journey

Tags: A bug bounty hunting journey, MacBook


Nov 24 2021

Reconnaissance for Bug Bounty Hunters & Pentesters

Category: Bug Bounty,Pen TestDISC @ 10:49 pm

New to the bug bounty and confused about where to start? Worry not! This reconnaissance for bug bounty hunters guides you to take the first step in bug bounty hunting.

Reconnaissance is the initial step in every penetration test, bug bounty, or ethical hacking. This step aims to gather the target’s information publicly available on the internet.

Publicly available data offers technical details about the network structure and systems. However, it also contains information about personnel and the firm that might be valuable later in the attack.

Two types of cyber reconnaissance are:

  • Passive Information Gathering
  • Active Information Gathering

Let’s utilize some suitable tools and gather the victim’s information passively first. The tools I will use to collect victim’s data will be:

  • Passive Recon Tools
    • Google Dork
    • Netcraft
    • WHOIS
    • Social Media
  • Active Recon Tools
    • Nmap
    • GoBuster
    • Dig

The above-mentioned tools are not the only tools; there are many tools available for data gathering which you can utilize.

Table of Contents

A bug bounty hunting journey: Overcome your limits and become a successful hunter

Tags: Bug Bounty Hunters & Pentesters


Sep 15 2021

Serious Security: How to make sure you don’t miss bug reports!

Category: Bug BountyDISC @ 11:11 am

Articles in our Serious Security series are often fairly technical, although we nevertheless aim to keep them free from jargon.

In the past, we’ve dug into into topics that include: website hacking (and how to avoid it), numeric computation (and how to get it right), and post-quantum cryptography (and why we’re getting it).

Helping others to help you

This time, however, the Serious Security aspect of the article isn’t really technical at all.

Instead, this article is a reminder of how you can make it easy for people to to help you with cybersecurity, and why you want to help them to do just that.

Bug Bounty Hunter , Notebook Storyboard for notes & write by hand ideas and thoughts , 100 pages (6″9″) | matte | open usage with simple elegent … engineer ,hacking learner | pentester

Tags: Bug Bounty Hunter, Bug Report


Feb 09 2021

Beware of technical “experts” bombarding you with bug reports

Category: Bug BountyDISC @ 10:57 pm

We’re all appalled at scammers who take advantage of people’s fears to sell them products they don’t need, or worse still products that don’t exist and never arrive.

Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim – making their victims pay up simply to make them even easier to defraud in future.

Well-known cyberexamples of this sort of fraud include:

  • Fake technical support incidents. These are the web popups or the phone calls you get out of the blue that report ‘viruses’ on your computer, and persuade you to ‘hire’ the services of an online ‘expert’ to remove them. Often these victims are lonely, vulnerable, and particularly ill-placed to deal with the financial loss. The scammers then target those individuals repeatedly and, in some cases we have heard, with ever-increasing aggression.

Subscribe to DISC InfoSec blog by Email


Jan 27 2021

IN RARE ADMISSION, APPLE SAYS THREE SECURITY BUGS ‘ACTIVELY EXPLOITED’ BY HACKERS

Category: Bug Bounty,Information SecurityDISC @ 12:17 pm


Jan 18 2021

Apple paid a $50,000 bounty to two bug bounty hunters for hacking its hosts

Category: Bug Bounty,HackingDISC @ 3:22 pm