Questions? Call 877-752-7170 or contact@fyrmassociates.com

Exploit

macOS Spotlight Data Leak (Vulnerability Fixed)

By Jeff Yestrumskas, Nate Robb in Tools

For a period of time, it was possible to read snippets of memory on a screen-locked mac OS system from the USB port.

A while back we noticed some interesting files created by macOS when inserting a USB drive. These files were related to Spotlight, macOS’s built-in search functionality which indexes and enables searching of files on the system, among other things. The presence of the files is fairly standard, as an invisible /Volumes/<Volume Name>/.Spotlight-V100/ directory are added to every USB drive inserted into a macOS system when Spotlight indexes the files on that drive. However, while analyzing some of the file contents, it appeared that content from several emails (subject lines, email addresses, snippets of message contents) was stored among this data, specifically in the .store.db file which serves as Spotlight’s metadata store. This was alarming as this email data had never been purposely stored on that USB drive. The implications were obviously pretty big. Sensitive data from a macOS system could be inadvertently leaked to a removable USB drive by the OS and potentially exposed without a user’s knowledge.

Continue reading

XAB Presentation @ USF Whitehatters Club

By Matt Flick in Tools

I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!

Continue reading

XAB – Cross Site Scripting Anonymous Browser updated and seeking help

in Tools

A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: [xab.sourceforge.net] (https://sourceforge.net/projects/xab/).

We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.

Continue reading

XAB Presentation @ OWASP DC Chapter Meeting on 9/2

By Matt Flick in Tools

I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found [here] (http://www.owasp.org/index.php/Washington_DC). See you there!

Continue reading

Categories