Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to share Vulnerability-related.DiscoverVulnerability with you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosed Vulnerability-related.DiscoverVulnerability exploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found out Vulnerability-related.DiscoverVulnerability that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assigned Vulnerability-related.DiscoverVulnerability CVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findings Vulnerability-related.DiscoverVulnerability to NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerable Vulnerability-related.DiscoverVulnerability , although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixed Vulnerability-related.PatchVulnerability as part of a different patch cycle . The second advisory included 25 models , all of which were vulnerable Vulnerability-related.DiscoverVulnerability in their latest firmware version . In June NETGEAR published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch Vulnerability-related.PatchVulnerability more models . Over that time we have found Vulnerability-related.DiscoverVulnerability more vulnerable models that were not listed in the initial notice , although they were added later . We also discovered Vulnerability-related.DiscoverVulnerability that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable Vulnerability-related.DiscoverVulnerability as well . Luckily NETGEAR did eventually get back to us right before we were set to disclose Vulnerability-related.DiscoverVulnerability these vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose Vulnerability-related.DiscoverVulnerability to NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patching Vulnerability-related.PatchVulnerability these vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have found Vulnerability-related.DiscoverVulnerability more than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .

Skirt Club is a place for lesbian and bisexual women to play out their fantasies , and it ’ s known for being discreet . But that doesn ’ t seem to apply when it comes to the online privacy component , according to Vice Germany . All the data collected by us is stored on a secure server . Not enough , according to Vice , which reported that Skirt Club kept members ’ photos easily accessible online . With more than 5,000 members worldwide – many of whom are not open about this part of their lives – the potential privacy violations are significant . Vice included an example of those compromised : a 39-year-old woman who had been married for 15 years and said in her profile that “ No one knows that I am bi in my environment . Vice Germany investigated after anonymous sources contacted the publication to voice concerns with the site , which went dark around 1 pm . Vice published a feature on Skirt Club in October 2016 , which is probably why it was contacted about this . After they looked into those claims , the editors found that at that time , thousands of personal images that members had uploaded in order to join Skirt Club were accessible to non-members – photos of users partially or fully naked , often recognizable , sometimes even with their names mentioned in the image . You didn ’ t need to hack the site to see – they weren ’ t password protected and anyone curious enough to make a bit of an effort could view and download the photos . Vice was particularly critical of how Skirt Club dealt with the issue : After VICE Germany reported Vulnerability-related.DiscoverVulnerability the security issues to Skirt Club in mid-December 2016 , it took Skirt Club more than three weeks to patch Vulnerability-related.PatchVulnerability the issue . The users ’ pictures and data aren ’ t accessible any more , but the security issue isn ’ t resolved completely – and at the time of publication , Skirt Club hasn ’ t informed users of the former problem . Naked Security reached out to Skirt Club , which directed press inquiries toward its attorney : Skirt Club is directing all media enquiries to its lawyer , Dr Sebastian Gorski at Schertz Bergmann Rechtsanwälte in Berlin .

Will Strafach , CEO of Sudo Security Group , said Vulnerability-related.DiscoverVulnerability he found Vulnerability-related.DiscoverVulnerability 76 iOS apps that are vulnerable Vulnerability-related.DiscoverVulnerability to an attack that can intercept protected data . TLS is used to secure an app ’ s communication over an internet connection . Without it , a hacker can essentially eavesdrop over a network to spy on whatever data the app sends , such as login information . “ This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use , ” Strafach said . “ This can be anywhere in public , or even within your home if an attacker can get within close range ” . Strafach discovered Vulnerability-related.DiscoverVulnerability the vulnerability in the 76 apps by scanning them with his company-developed security service , verify.ly , which he 's promoting . It flagged “ hundreds of applications ” with a high likelihood of data interception . He ’ s so far confirmed Vulnerability-related.DiscoverVulnerability that these 76 apps possess the vulnerability . He did so by running them on an iPhone running iOS 10 and using a proxy to insert an invalid TLS certificate into the connection . Strafach declared Vulnerability-related.DiscoverVulnerability that 43 of the apps were either a high or medium risk , because they risked exposing login information and authentication tokens . Some of them are from “ banks , medical providers , and other developers of sensitive applications , ” he said . He 's not disclosing Vulnerability-related.DiscoverVulnerability their names , to give them time to patch Vulnerability-related.PatchVulnerability the problem . The remaining 33 apps were deemed low risks because they revealed only partially sensitive data , such as email addresses . They include the free messaging service ooVoo , video uploaders to Snapchat and lesser-known music streaming services , among many others . In all , the 76 apps have 18 million downloads , according to app market tracker Apptopia , Strafach said . It ’ ll be up to the app developers to fix Vulnerability-related.PatchVulnerability the problem , but it only involves changing a few lines of code , says Strafach , who ’ s been trying to contact the developers . He included some warnings for developers in the blog post . “ Be extremely careful when inserting network-related code and changing application behaviors , ” he wrote . “ Many issues like this arise from an application developer not fully understanding the code they ’ ve borrowed from the web ” . Users of affected apps can protect themselves by turning off the Wi-Fi when in a public location , Strafach says . That will force the phone to use a cellular connection to the internet , making it much harder for any hacker to eavesdrop unless they use expensive and illegal equipment , Strafach said

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .