Connect with us

Hacking

Popcorn Time is Vulnerable to Significant Hack Attacks

Published

on

Researchers Popcorn Time Vulnerable to Significant Hack AttacksPopular file sharing and streaming service Popcorn Time contains critical vulnerabilities leaving it open to XSS attacks, files being read locally and remote code execution attacks, according to a security researcher.

The security researcher has discovered significant vulnerabilities within the popular file streaming service Popcorn Time, potentially allowing attackers to gain complete access and control of a computer connected to the service. The researcher made a comprehensive account of his findings in a blog post.

Popcorn Time has always been a target among anti-privacy companies and the MPAA (Motion Picture Association of America) and now finds itself under threat from a different adversary.

The Vulnerability

Antonios Chariton, aka ‘DaKnOb’, the researcher who discovered the vulnerability, claims to be a security engineer and researcher studying in Greece for his B.Sc. in Computer Science.

“There are two reasons that made me look into Popcorn Time,” said Chariton.

First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.

The engineering student notes that initial concerns aside, problems really flare up when Popcorn Time initiates a “really smart” process and technique to bypass the blockades set by ISPs (Internet Service Providers) in the UK. The popular streaming service manages to do this by using the CloudFlare infrastructure as a part of its setup and connectivity process. Due to this, ISPs find it nearly impossible to block Popcorn Time purely by means of a DNS address without banning the CloudFlare website entirely.

Despite being clever in its maneuvering around the blockade, the problems coming from such a move are clear.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man in the Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” explains Charlton.

The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.

Furthermore, Chariton was able to engineer and initiate “content spoofing” attack which enabled him to change the title of a movie. Case in point, he gave the movie Hot Pursuit the title of “Hello World” instead.

Popcorn-Time-Content-Spoofing

(Image credit: Daknob Blog)

It was at this point in time that Chariton launched an XSS attack. By injecting malicious JavaScript, the Popcorn Time client executed the code which gave him complete control of the application. He was only getting started, however.

“This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

Image from PopcornTime Website and Wikipedia.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.




Feedback or Requests?

1 Comment

1 Comment

  1. Charles Hebdo

    August 16, 2015 at 8:27 am

    Well into a PopcornTime session today, my computer sounded 3 alerts, and a few seconds later, a private excel file popped open, by itself. I was naturally alarmed, so I proceeded to close my network connection, and check the event log. Noticed an odd SYSTEM logon event dated a few minutes before the incident. A google update error also showed up. No VNC or similar remote-in software running. Popcorntime Desktop service was the only suspicious thing running…

You must be logged in to post a comment Login

Leave a Reply

Altcoins

EOS Price Forecast: EOS/USD Heading for Another 300% Move?

Published

on

  • EOS/USD price action via the 4-hour chart view has formed a bullish flag pattern.
  • The price is moving around levels seen back end of March to early April, before a bull run of over 300%.

The past six sessions for EOS/USD have been erratic to say the least. It has been subject to a high amount of volatility, swinging aggressively in both directions. There has been a lack of commitment from either the bear or bull camps of late. As the market continues to trade with such behavior, it appears to be trying to find its feet, ahead of a potential chunky firm trend.

EOS DApp Hacked Again

An EOS based gambling DApp, EOSBet has been hacked, with $338,000 being reported as stolen. This isn’t the first time; just back in September, hackers managed to get away with a reported 40,000 worth of EOS, which at the time had a value of $200,000. It has been said that they were able to exploit their smart contracts, having found security vulnerabilities.

Technical Review – 4-hour Chart View

EOS/USD 4-hour chart

EOS/USD price action has formed a bullish flag pattern, which began taking shape on 15th October, after the aggressive price behavior stabilized. The bulls at the time ran the price well up into $6 territory. Consequently, it then met the breached ascending trend line, failing to move back above this area. This followed the sharp breakthrough to the downside, which occurred on 11th October. As a result, a drop of over 15% was seen, forcing EOS/USD to retreat in a demand area, within the $5.0000 level proximity.

Looking to the upside, small near-term resistance is seen at around $5.6100, which is the upper trend line of the mentioned bull flag pattern. A breakout will likely open the doors to a retest of the broken ascending trend line, tracking around $6.1100. Support can be eyed at $5.4600, which marks the lower trend line of the flag. Furthermore, should this fail to hold, EOS/USD could likely fall back down to the serving demand area, within the lower $5.0000 territory.

April 2018 Bull Run

EOS/USD April bull run

In April of this year EOS/USD entered a chunky bull run, gaining over 300%. From the back end of March until 11th April, the price had been stuck within consolidation mode. Resulting in the price trading within a tight range, at levels of where the price is currently seen today.

Something quite astonishing started to unfold. Between the period of 11th April to the 29th April, a bull run of around 290% was seen. Over this time frame EOS/USD went from $5.9500 up to a high of around $23.0811. The price is currently demonstrating a similar behavior to that of what was seen during the mentioned period. It is interesting to note that the price did have historical levels to break through, as it had already run higher during the period of December 2017 and came back down. Finally, this is not to say EOS/USD will observe the same bull run. However, it is an interesting observation to be aware of.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Altcoins

Crypto Market Development: South Korea’s National Policy Committee Chair Calls For ICO Legalization

Published

on

  • A member of South Korea’s governing Democratic party and the chairman of Korea’s National Policy Committee, Min Byung-Doo, is urging to ease the current regulations on Initial Coin Offerings (ICOs).
  • Min Byung-Doo wants to introduce necessary regulatory framework, allowing ICOs in the country.

Allow ICOs In South Korea

The South Korean National Policy Committee Chief, Min Byung-Doo, is calling for a regulatory framework to be explored. This would be to allow for Initial Coin Offerings (ICOs) to take place within the country. He stated that the current prohibiting of ICOs weakens the industry’s competitiveness appeal with foreign markets. Further boldly adding, this would be preventing growth.

In his statement at to lawmakers, Byung-Doo said, “We can see that the flow of investment is clearly changing compared to ICO and angel fundraising. The ICO has raised $1.7 billion for Telegram and $4 billion for Block.One, it is getting bigger and bigger.”

Further in the statement, Min Byung-Doo said, “Let the government, the National Assembly and the blockchain association quickly create a working group to block fraud, speculation, money laundering and develop the block-chain industry,”. However, he acknowledged the government’s reluctance to create the needed framework.

In September 2017, the Financial Services Commission in South Korea announced a ban on ICOs. The law has not yet been enacted.

Crypto Market Reaction

A lack of reaction has been observed for now, despite this determination to help further legitimize the digital currency market in South Korea. Crypto market developments in the country are always watched very carefully. This is given their large crypto market participation. It was reported in December 2017 that South Korea accounted for as much as 17% of all Ethereum trades occurring in cryptocurrency markets.

Market Reactions To South Korean Related News

Ripple (XRP) crashed in January, following CoinMarketCap’s decision to remove XRP price data from Korean exchange desks. This as a result largely brought down the total average.

XRP/USD Coinmarketcap update triggered drop

On 11th January, Korean crypto exchange Coinrail was hacked, and over $40 million in tokens were stolen. Bitcoin initially dropped over 11% on this.

BTC/USD Coinrail hack triggered drop

One final example, UPbit, a South Korean exchange, was investigated by authorities for illicitly moving customer funds to the account of its executives. Bitcoin initially dropped over 7% on the news.

BTC/USD UPbit investigation triggered drop

Given the above mentioned, one should keep an eye on any developments coming out of South Korea, for the foreseeable future.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Altcoins

Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets

Published

on

  • A group of cryptocurrency exchange operators in Japan is readying to tighten up measures following recent cyber breach.
  • Action follows reported hack earlier in the month; cryptocurrency exchange Zaif lost an estimated $59.67 million.

Self-Regulatory Group Set To Tighten Rules

The Japan Virtual Currency Exchange Association (JVCEA) is exploring new rules to safeguard against cyber theft, including setting a cap on the amount of digital currencies managed online. This is citing informed sources, being reported by local news outlet, the Japan Times.

Informed sources detailed that the cap will likely to be around 10 – 20% of customer deposits. The JVCEA are said to be soon revising its rules, which were originally drawn up in June following multiple cyber attacks. These will be implemented once all has been approved by the Financial Services Agency. This is as part of the payment services law process in the country.

The move likely received large motive due to the reported hack earlier in September. The Japanese start-up Tech Bureau said that its cryptocurrency exchange, known as Zaif, had been hacked. Losses were estimated around $59.67 million of Bitcoin and two other digital currencies -Bitcoin Cash and Monacoin.

Market Reaction

No initial reaction was observed across the cryptocurrency market on this latest update, coming out of Japan as of Sunday 30th September. Despite this, however, Japan and crypto sell-off are not uncommon to have been used in the same sentence over the past years and even months. This means volatility could be in store for digital assets in the short term.

Back in January of this year, the largest reported hack on a Japanese exchange took place with Coincheck losing $530 million worth of NEM in a coordinated attack. This incident massively spooked the market, and was  a heavy contributor to the large sell-off in January. As we’ve observed over the past eight months, the market has yet to reclaim January’s peak (although this can’t be solely attributed to the theft). At the time, South Korea’s Attorney General had already spooked investors with FUD related to the possible banning of digital currencies in the country.

Against this backdrop, investors are advised to pay attention to Japan-related volatility.

BTC/USD weekly chart

Most recently, looking in the month of June, another sell-off was seen. This one came after Japan’s financial regulator ordered several cryptocurrency exchanges to improve their practices against money laundering. The action led bitFlyer — the country’s largest crypto exchange — to suspend new account creation. This was initiated to improve internal processes in order to curb money laundering and terrorist financing.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending