Posts tagged Google

4 min News

State-Sponsored Threat Actors Target Security Researchers

On Monday, Google’s Threat Analysis Group published a blog on a widespread social engineering campaign that targeted security researchers working on vulnerability research and development.

5 min Cloud Infrastructure

How to Set Up InsightVM in Your Google Cloud Environment

In this blog post, we’ll go over how to set up our vulnerability scanner, InsightVM in your Google Cloud and how to tweak it for your environment.

2 min Metasploit

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page [https://summerofcode.withgoogle.com/about/] sums it up nicely: > Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from univer

2 min API

Mobile App & API Security - Application Security's "Where Waldo"

A version of this blog was originally posted on Feb. 1, 2013 As I have discussed in previous posts and at conferences, like OWASP AppSecUSA, while the number of attacks continue to increase, the attack techniques aren't new at all. They are actually the same old attacks like SQL Injection showing up in new places including API's, mobile application services and AJAX applications. Because these newer technologies have exploded in popularity and become more mainstream, we keep seeing these same o

1 min Android

Disclosure: Android Chrome Address Bar Spoofing (R7-2015-07)

Android Chrome Address Bar Spoofing (R7-2015-07) Summary Due to a problem in handling 204 "No Content" responses combined with a window.open event, an attacker can cause the stock Chrome browser on Android to render HTML pages in a misleading context. This effect was confirmed on an Android device running Lollipop (5.0). An attacker could use this vulnerability to convince a victim of a phishing e-mail, text, or link to enter private credentials to an untrusted page controlled by the attacker.

2 min Android

R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)

Vulnerability Summary Due to a lack of complete coverage for X-Frame-Options [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO) support on Google's Play Store [https://play.google.com/] web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play S

3 min Cloud Infrastructure

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow IT and to enable your business to use it securely to increase productivity and keep up with the market. Step one: Find out which cloud services your organization is using First, you'll want to figure out what is act

2 min Android

Metasploit Weekly Wrapup: Another Android Universal XSS

Click and Get Owned on Android... Again This week, we landed another Metasploit exploit for another Android WebView vulnerability [http://www.rapid7.com/db/modules/auxiliary/gather/android_object_tag_webview_uxss] ; this time, it's a problem that occurs when replacing the "data" attribute of a given HTML object with a JavaScript URL scheme. Like the last Android security disaster [/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041] we made a lot of noise about, this affects the st

1 min Android

Android browser privacy bug explained [VIDEO]: Whiteboard Wednesday

todb [https://community.rapid7.com/people/todb]'s post earlier this week about the flaw in Android's Open Source Platform browser [/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041] has been getting a lot of attention this week, and for good reason: By the numbers, Android 4.2 and earlier builds have the vulnerable browser in question, and about 75% of Androids in the world today are using pre-4.4 builds. While not everyone uses the AOSP browser on their phone—certainly Firefox,

3 min Product Updates

Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads

Apache Struts Exploit This week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console [https://github.com/Console] Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645 [http://www.osvdb.org/93645], disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by Eric Kobrin and Douglad Rodrigues. The reason why I bring this up is not just because it's a solid exploit f