Sekurity is hard – vulnerable to XSS


By William Knowles @c4i
Senior Editor
InfoSec News
August 22, 2014

On 21 of August 2014 the security researcher E1337 reported to XSSposed (XSS exposed) that has an XSS (Cross-Site Scripting) vulnerability which currently has 2 vulnerabilities in total reported by security researchers).

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013. XSS attacks are becoming more and more sophisticated these days and are being used in pair with spear phishing, social engineering and drive-by attacks.

The vulnerability is still unpatched putting users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.

You can request to check if the vulnerability was patched or not by clicking here.

Photo by

Black Hat, BSides Las Vegas and Def Con 2014 Coverage


By William Knowles @c4i
Senior Editor
InfoSec News
August 6, 2014

For those of you not in Las Vegas for Black Hat, BSides or Defcon, the InfoSec News mailing list still works, I’ll be doing my best to cover Black Hat, BSides, and Defcon, posting infrequently and maybe taking a little break from things at least til’ next Tuesday.


Chinese Collegiate Hacking Team Hacks The Tesla Model S, Well Sort Of…

Tesla Sightings

By William Knowles @c4i
Senior Editor
InfoSec News
July 18, 2014

A team of Chinese collegiate hackers attending the Symposium on Security for Asia Network conference in Beijing have been succeeded in breaking into the software used in electric cars made by Elon Musk‘s Palo Alto California-based Tesla Motors.

The South China Morning Post is reporting that a team from Zhejiang University was awarded 10,600 yuan [Approximately $1707.34 USD] by the SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China Where attendees have been invited to hack into a Tesla Model S.

SyScan 360 organisers said on Friday: “Tesla Software Hack Challenge ended with team “yo”, from ZheJiang University, coming in first overall and winning 10,600 Yuan in prize money. No team succeeded in the mission of hacking Tesla’s door and engine within the timeframe of the challenge. Therefore, no one received the grand prize of $10,000 USD.”

Tesla had said it welcomed news of any vulnerabilities discovered as a result of the hacking competition. “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” the company said on Wednesday.

“We hope that the security researchers will act responsibly and in good faith.”

The “yo” team hackers exploited a “flow design flaw” to gain access to the Tesla car’s system, SyScan360 announced on Weibo. The loophole enabled attackers to remotely unlock the vehicle, sound the horn and flash the lights, and open the sunroof while the car was in motion.

SyScan 360 organisers say they have reported the vulnerability to Tesla. Telsa shares TSLA closed at $215.40 a share, down .81% from Thursday’s close.

Creative Commons License Steve Jurvetson via Compfight

Hacking a $100K Tesla Model S For Fun and $10K Profit


Amsterdam: Model S @ Tesla Store

By William Knowles @c4i
Senior Editor
InfoSec News
July 14, 2014

At the 2014 SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China. Security professionals and hackers paying $319 to attend the conference will have the opportunity to win $10,000 if they can compromise the security of the Tesla Model S.

While the official rules haven’t been released, one could surmise that this will involve remotely gaining control of the vehicle’s controls or physically via the 17 inch touchscreen in the Tesla.

Back in March 2014, Nitesh Dhanjani detailed a cursory evaluation of the Tesla Model S, pointing out threats such as, Tesla’s six character password can lead to the Model S being remotely located and unlocked via social engineering, email account compromises, brute-force attacks, malware attacks, phishing attacks, and password leaks.

Tesla REST API Implicitly Encourages Credential Sharing with Untrusted Third Parties. “The Tesla iOS App uses a REST API to communicate and send commands to the car. Tesla has not intended for this API to be directly invoked by 3rd parties. However, 3rd party apps have already started to leverage the Tesla REST API to build applications.”

The Tesla for Glass application lets users monitor and control their Teslas using Google Glass.

While Tesla has confirmed that it is not officially involved in the SyScan contest, it has taken security very seriously, hiring former Apple security expert Kristin Paget to be the “Hacker Princess at Tesla Motors,” creating a Security Vulnerability Reporting Policy, and a Tesla Security Researcher Hall of Fame.

Investors in Telsa shares don’t seem concerned with the contest, TSLA closed at $226.70 a share, up 3.93% from Friday’s close.

harry_nl via Compfight

Former UIC Accounting students alerted to 2002 personal security breach


By William Knowles @c4i
Senior Editor
InfoSec News
July 11, 2014

InfoSec News has learned that notification letters have been sent last week to some former students of the University of Illinois at Chicago College of Business Administration whose personal information, including Social Security number, was recently found to have been publicly accessible on an unsecured website dating back to 2002.

Two documents were accessible: a class roster from a Special Topics in Accounting course, ACTG 594, from spring semester of 2002; and the advising list from spring 2002 for all junior and senior accounting majors.

University staff “took immediate action to remove the files from the website and sever connections to the documents” the letter said.

The university sent the letter to every mailing address it had on file for each individual. Because the university cannot verify that it was successful in reaching all affected parties, this news release is being issued in accordance with Section 10 of the 2006 Illinois Personal Information Protection Act.

Concerned individuals may contact the Federal Trade Commission, Midwest Region, 55 W. Monroe St., Suite 1825, Chicago, IL 60603, 1-877-IDTHEFT (1-877-438-4338) TDD 1-866-653-4261.

Concerned individuals should take precautions against identity theft as suggested by the FTC on its website and may wish to exercise their right to a free annual credit report from each of the three major credit reporting companies, available online at or by calling (877) 322-8228.