voidsec2022-01-14T09:14:37+01:00For whom is following me on Twitter this is not a news, yesterday I was complaining about a Telegram “Feature” in the secret chat context, while for whom doesn’t this should serve as a write-up of the bug that I have discovered (The bug is nothing fancy but something I think people should, at least, know).
Telegram Secret Chat
If you are not practical with the concept of Telegram’s Secret Chat:
“Secret chats are meant for people who want more secrecy than the...
voidsec2022-01-14T09:15:47+01:00(Edited on 06/04: in order to reflect the actual situation)
TL:DR: VPN leaks users’ IPs via WebRTC.
I’ve tested hundred VPN and Proxy providers and 19 of them leaks users’ IPs via WebRTC (16%)
You can check if your VPN leaks visiting: http://ip.voidsec.com
Here you can find the complete list of the VPN providers that I’ve tested: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially...
voidsec2022-01-14T09:20:33+01:00This is the main article for the VirIT Explorer Local Privilege Escalation Exploit's, if you are not interested in the methodology and the story behind this vulnerability you can directly jump to the end and reach the exploit section.
As a penetration tester I've realized that Antivirus Solutions are often insecure, they can be easily bypassed and they do not fully protect your system; sometimes they also make you more vulnerable and this is the case.
I will always recommend AV as...
VoidSec Security Team
Date of contact
2nd date of contact
3rd date of contact
Vendor last reply
Date of public disclosure
Phorum Open Source PHP Forum Software
Download the Report [EN]
The purpose of the present project is to assess the security posture of some important aspects of Phorum Forum Software.
Phorum is open source forum software with a penchant for speed. Phorum's very flexible hook and module system can satisfy every web master's needs.
During the web application security assessment for Phorum, VoidSec assessed the following systems using...
voidsec2022-01-14T09:22:05+01:00We are proud to publish an undisclosed vulnerability affecting LinkedIn and in particular its "CSV Export" function.
Following our Vulnerability Disclosure Policy Agreement, LinkedIn Security Team has been informed about this specific issue and this vulnerability will be published without a working PoC.
LinkedIn's users can exports all their connections into a CSV file, that due to some missing filters (escaping output), could allows an attacker to execute a command on the user machine.
An attacker can create a LinkedIn profile embedding a...
Date of contact:
2nd date of contact:
Date of public disclosure:
Avactis PHP Shopping Cart
Download the Report [EN]
Avactis is an open source ecommerce Shopping Cart software. The purpose of the present project is to assess the security posture of some important aspects of Avactis PHP Shopping Cart. The activity is performed through Web Application Penetration Test using Grey Box approach.
Spreading of Files with Malicious Extensions on Upload New Design and Execution in some
Non-Admin PHP Shell...
voidsec2022-01-14T09:24:46+01:00What do an old log file, Wordpress, “some” routers and some Italian ISP have in common?
Apparently nothing but let me explain from the beginning and you will notice how interesting elements can be discovered, starting from an insignificant event.
Friday, February 13, 2015: I was performing ordinary maintenance on my personal website and, while I was analyzing the statistics and logs, I noticed a "strange" recurring pattern:
Anyone who has ever run a WordPress can recognize in this extract of log,...
voidsec2022-01-14T09:25:21+01:00Che cosa hanno in comune un vecchio file di log, Wordpress, una “manciata” di router e degli ISP italiani?
All’apparenza nulla ma lasciatemi spiegare tutto dall’inizio e vedrete come, partendo da un evento poco significativo si possano scoprire elementi quantomeno interessanti.
You can read this article in English here.
Venerdì 13 Febbraio 2015: stavo effettuando ordinaria manutenzione sul mio sito personale quando analizzando le statistiche e I log mi accorsi di un pattern ricorrente e quantomeno “strano”:
Chiunque abbia mai gestito un sito Wordpress...
June 17, 2015
Paolo Stagno ( aka voidsec – [email protected] )
Luca Poletti ( aka kalup – [email protected] )
Download the Report [EN]
In those last days a new social network called minds is getting attention over the internet, it aims to give transparency and protection to user data. Thanks to those last two points the new site has attracted the support of online activists including the hacking collective Anonymous.
We have then decided to give a look to that amazing platform,...
March 03, 2015
January 26, 2015
Download the Report
In Gennaio, il team VoidSec (voidsec, bughardy, smaury) ha realizzato un web application penetration test sulla piattaforma di blogging Ghost.
Ghost è un nuovo content management system dedicato ai blogger che cercano un’alternativa a WordPress. Un crescente numero di utenti ha abbandonato i CMS tradizionali per abbracciare piattaforme più minimali, concentrate sulla lettura e la scrittura, essenziali; in questo Ghost è uno tra i software più popolari e molto utilizzato, sta...