Latest News & Research

  • Blog

    Marcher - Android banking Trojan on the rise

    Pham Duy Phuc, Niels Croese & Han Sahin, February 2017

    The past months many different banking Trojans for the Android platform have received media attention. One of these, called Marcher, seems to be especially active with different samples appearing on a daily basis. This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.
    read more...

  • Blog

    AutoRun is dead, long live AutoRun

    Yorick Koster, February 2017

    This blog explains how the Windows AutoRun feature can be exploited to run arbitrary code. While running software automatically is no longer possible on recent versions of Windows there are still possibilities to trick a user into running malicious software from a USB thumb drive - handy if you're Red Teaming for example. In this blog I'll explain how this can be done using an USB armory. Note that this technique can also be done using other similar devices, but the armory's form factor makes it especially suitable for this purpose.
    read more...

  • Advisory

    Authentication bypass vulnerability in Western Digital My Cloud

    Remco Vermeulen, Januari 2017

    It was discovered that Western Digital My Cloud is affected by an authentication bypass vulnerability. By exploiting this vulnerability, an unauthenticated attacker can bypass the login functionality and gain full control of the device.
    read more...

  • Blog

    Spot The Bug challenge 2016 write-up

    Sipke Mellema, January 2016

    Write-up for the Securify Spot The Bug challenge held on December 2016. It was a close call this year, as the top submissions are of excellent quality. People submitted entire reports with recommendations, risk analysis and some even re-wrote parts of the code! The top two reports were submitted by:

    1. Egidio Romano from Karma(In)Security
    2. Thomas Chauchefoin from Synacktiv

    Congratulations Egidio, for winning the bitcoin!
    read more...

  • Advisory

    Multiple blind SQL injection vulnerabilities in FormBuilder WordPress Plugin

    Burak Kelebek, July 2016

    Multiple blind SQL injection vulnerabilities were found in the FormBuilder WordPress Plugin. This allows an attacker, granted he has Author or higher privileges, to extract arbitrary data (eg the Administrator's password hash) from the WordPress database. Since there is no CSRF protection in place, an attacker could also lure an logged-in Author to perform malicious SQL commands on the database.
    read more...

  • Advisory

    Cross-Site Request Forgery vulnerability in FormBuilder WordPress Plugin allows plugin permissions modification

    Burak Kelebek, July 2016

    A Cross-Site Request Forgery vulnerability has been encountered in the FormBuilder WordPress Plugin. This issue allows an attacker to change permission settings for the plugin by luring a logged on WordPress Administrator into following a malicious link.
    read more...

  • Advisory

    Persistent Cross-Site Scripting vulnerability in User Access Manager WordPress Plugin

    Burak Kelebek, July 2016

    A persistent Cross-Site Scripting vulnerability has been encountered in the User Access Manager WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Advisory

    InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection vulnerability

    Yorick Koster, June 2016

    A PHP Object injection vulnerability was found in the InfiniteWP Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
    read more...

  • Advisory

    CMS Commander Client WordPress Plugin unauthenticated PHP Object injection vulnerability

    Yorick Koster, June 2016

    A PHP Object injection vulnerability was found in the CMS Commander Client WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
    read more...

  • Advisory

    Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability

    Yorick Koster, June 2016

    A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
    read more...

  • Advisory

    Google Analytics Counter Tracker WordPress Plugin unauthenticed PHP Object injection vulnerability


    Remco Vermeulen, July 2016

    A PHP Object injection vulnerability was found in Google Analytics Counter Tracker, which can be used by an unautenthicated user to instantiated arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code.
    read more...

  • Advisory

    Cross-Site Request Forgery in Insert Html Snippet WordPress Plugin

    Yorick Koster, July 2016

    It was discovered that the Insert Html Snippet WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update an existing HTML snippet. This can be used to insert arbitrary HTML and scripting code within a post or page that uses the snippet. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Blog

    Pwning WordPress with Cross-Site Scripting

    Yorick Koster, November 2016

    Last July we organized the Summer of Pwnage, which resulted in 118 security findings in WordPress Core and Plugins. By far the most found vulnerability is Cross-Site Scripting, 66% of the findings fall into this category. When targeting a WordPress Administrator, Cross-Site Scripting can result in a full compromise of the WordPress site. In this blog I'll describe one method to achieve this.
    read more...

  • Blog

    Spot The Bug challenge December 2016. Win the BitCoin!

    Securify, November 2016

    At Securify we are hunting down bugs in our clients' code. It is a demanding task, but we enjoy every bit of it! Every year we release a Spot The Bug challenge. Do you think that you can spot the security bug(s) in this code?
    read more...

  • Advisory

    Stored Cross-Site Scripting in Gallery - Image Gallery WordPress Plugin

    Sipke Mellema, July 2016

    A persistent Cross-Site Scripting vulnerability was found in the Gallery - Image Gallery plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
    read more...

  • Advisory

    Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin

    Yorick Koster, July 2016

    A Cross-Site Scripting vulnerability was found in the WP Canvas - Shortcodes WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. This issue can be exploited by authenticated users with the Contributor or higher role.
    read more...

  • Advisory

    Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF

    Sipke Mellema, July 2016

    A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
    read more...

  • Advisory

    Cross-Site Scripting in Huge IT Portfolio Gallery WordPress Plugin

    Antonis Manaras, July 2016

    A Cross-Site Scripting vulnerability was found in the Huge IT Portfolio Gallery WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Advisory

    Cross-Site Scripting in Check Email WordPress Plugin

    Antonis Manaras, July 2016

    A Cross-Site Scripting vulnerability was found in the Check Email WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

  • Advisory

    Cross-Site Scripting in All In One WP Security & Firewall WordPress Plugin

    Yorick Koster, July 2016

    A Cross-Site Scripting vulnerability was found in the All In One WP Security & Firewall Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
    read more...

Work with us →