This has been a week that TikTok—the Chinese viral video giant that has soared under lockdown—will want to put quickly behind it. The ByteDance-owned platform was under fire anyway, over allegations of data mishandling and censorship, but then a beta version of Apple’s iOS 14 caught the app secretly accessing users’ clipboards and a backlash immediately followed.



Whether India had always planned to announce its ban on TikTok, along with 58 other Chinese apps, on June 29, or was prompted by the viral response to the iOS security issue is not known. But, as things stand, TikTok has been pulled from the App Store and Play Store in India, its largest market, and has seen similar protests from users in other major markets around the world, including the U.S.Anonymous Hackers Directly Target TikTok: ‘Delete This Chinese Spyware Now’

One of the more unusual groups campaigning against TikTok is the newly awakened Anonymous hactivist group. As ever with Anonymous, it’s difficult to attribute anything to the non-existent central core of this loosely affiliated hacker collective, but one of the better followed Twitter accounts ostensibly linked to the group has been mounting a fierce campaign against TikTok for several weeks, one that has now gained prominence given the events of the last few days.



“Delete TikTok now,” the account tweeted today, July 1, “if you know someone that is using it, explain to them that it is essentially malware operated by the Chinese government running a massive spying operation.”

Delete TikTok now; if you know someone that is using it explain to them it is essentially malware operated by the Chinese government running a massive spying operation. https://t.co/J7N9FS7PvG

— Anonymous (@YourAnonCentral) July 1, 2020

The account linked to a story that has been doing the rounds in recent days, following a Reddit post from an engineer who claimed to have “reverse engineered” TikTok to find a litany of security and privacy abuses. There has been no confirmation yet as to the veracity of these allegations, and TikTok did not provide any comment on the claims when I approached them.




The original issue that prompted Anonymous to target TikTok appears to be the “misrepresentation” of Anonymous on TikTok itself, with the setting up of an account. “Anonymous has no TikTok account,” the same Twitter account tweeted on June 6, “that is an App created as spyware by the Chinese government.”



Those affiliated with Anonymous take exception to copycat accounts, which is complicated by the lack of any central function. In the aftermath of the Minneapolis Police story, someone affiliated with the group took exception to a Twitter account that was monetising the brand, telling me: “We do not appreciate false flag impersonations. There will be consequences.”



See also

• Digital strike on 59 Chinese apps including TikTok, UC Browser, India banned

This has now become an interesting collision of two completely different viral stories in their own right. Anonymous hit the headlines a month ago, when the “group” seemed to mount a comeback in the wake of the killing of George Floyd. A video posted on Facebook threatened to “expose the many crimes” of the Minneapolis Police unless the officers responsible were held to account.



There have been various stories since then, with reports of DDoS attacks on police service websites, the hacking of data and even the compromise of radio systems. But, as ever, with Anonymous, it is always critical to remember that you are seeing that loose affiliation of like-minded individuals, with Anonymous used as a rallying cry and an umbrella for claims and counter-claims. Attribution, as such, is not possible.



This also puts TikTok in the somewhat unique position of having united various governments, including the U.S., and Anonymous behind the same cause.


For TikTok, whether there is any hacking risk following these social media posts we will have to wait and see. Again, you have to remember the way this works. A rallying call has gone out to like-minded hacking communities worldwide. A target has been named and shamed. It would not be a surprise if claims of hacks or DDoS website attacks followed. That’s the patten now.



So, why does this matter? Well, it’s one thing for the U.S. government or even the Indian government to warn hundreds of millions of users about the dangers of TikTok, but various celebrities and influencers have also been swayed by the latest claims and have publicly expressed their concerns. Anonymous is a viral movement that is targeting some of the same user base that has driven TikTok’s growth. It is campaigning against TikTok, and that campaign will drive its own viral message.



And while until now that user base has remained steadfastly resilient to any of those warnings, sticking with the video sharing app in droves, you can start to get the feeling now that come of this might stick. It’s subtle, and it’s always risky to judge the world by the twitter-sphere, but there’s a change now in the wind.



Credit : Forbes

Disclaimer for Hacking Truth

If you require any more information or have any questions about our site's disclaimer, please feel free to contact us by email at kumaratuljaiswal222@gmail.com

 

Disclaimers for Hacking Truth

All the information on this website - https://www.kumaratuljaiswal.in/ - is published in good faith and for general information purpose only. Hacking Truth does not make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this website (Hacking Truth), is strictly at your own risk. Hacking Truth will not be liable for any losses and/or damages in connection with the use of our website.


From our website, you can visit other websites by following hyperlinks to such external sites. While we strive to provide only quality links to useful and ethical websites, we have no control over the content and nature of these sites. These links to other websites do not imply a recommendation for all the content found on these sites. Site owners and content may change without notice and may occur before we have the opportunity to remove a link which may have gone 'bad'.
Please be also aware that when you leave our website, other sites may have different privacy policies and terms which are beyond our control. Please be sure to check the Privacy Policies of these sites as well as their "Terms of Service" before engaging in any business or uploading any information.

 

Consent

By using our website, you hereby consent to our disclaimer and agree to its terms.

Update

Should we update, amend or make any changes to this document, those changes will be prominently posted here.




I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

35 lakh rupees waiting for you even a little knowledge of hacking is there

If you too have a fondness for hacking, you know about coding, then 35 lakh rupees are waiting for you. Sony, the leading electronic company, has announced the bug bounty program for the gaming console PlayStation. Under this program, gamers or any common man may be entitled to this award by removing bugs in the PlayStation 4 and PlayStation Network. Earlier, Sony's PlayStation bug bounty program used to be private, but this year for the first time the company has announced to make it public. hacker101




Announcing this bug bounty program, Sony wrote in its blog, 'It is a fundamental part of our product security that gives a great experience to our community. To strengthen the security, we attach great importance to the research community. We are excited to announce the new bug bounty program. hackerone



The company has partnered with HackerOne for this and under this program, work is going on to find flaws in PS4 system, operating system, accessories and PlayStation network. It must be mentioned here that PS3 and PS2 are not part of this program. Bug Bounty Program








Sony has divided the prize money of Bug Bounty into four parts, which include Critical, High Severity, Medium Severity and Low Severity. For finding Critical Bugs in PlayStation 4, you will get 50,000 dollars i.e. about 38 lakh rupees, while searching for High, Medium and Low Severity bugs will get 10,000 dollars i.e. about 7.5 lakh rupees, 2,500 dollars i.e. two lakh rupees and 500 dollars i.e. about 38,000 rupees respectively. Bug crowd





Talking about the PlayStation Network (PSN), if you find a critical bug in it, then you will get 3,000 dollars i.e. about 2.5 lakh rupees, while on searching for high, medium and low severity bugs, 1,000 dollars i.e. about 75,500 rupees, 400 dollars i.e. 30,000 rupees respectively. 100 dollars i.e. about 7,500 rupees.



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

Background Concept About Cross Site Scripting ( XSS ) With Examples

Now we are going to talk about XSS cross site scripting. XSS Vulnerabilities are among the most wide spread wab application vulnerabilities on the internet. 


Cross-site-scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicous code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur antwhere a web application uses input from a user within the output  it generates without validating or encoding it. Background concept about cross site scripting with examples



An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browsers has no way to kmow that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens or, other sensitive information retined by the browser and used with that site. cross site scripting with examples



It's refer to client side injection attack where an attacker can execute malicious scripts into a legitimate website or web application.  By leavrging a cross site scipting, an attacker doesn't target the victim directly instead an attacker would exploit a vulnerability within a web applications or websites that the victim would visit essentially using the vulnerable website as a vehicle the deliver the malcious script to the victim's browser. basicallly we will use a website to deliver our payloads to the victime, when victim visit into that they paylaod are will executed and the payload will to our job, payload can be malicious, payload can be simple whatever. xss examples

Let's talk about impact of XSS

1) Cookie theft
2) Keylogging
3) Phishing
4) URL Redirection



cross site scripting can be used to a part of URL redirection. Cookies stealing, Keylogging, Phishing etc.


so, in order to run our javascript malicious script in a victim's browser, an attacker must first find a way to inject a payload into web page. That's the victim visit. 


for exploitation, attacker can used social engineering way such as email, click jacking to manipulate user for executation to our payload.

Let's talk about the Types of XSS...

Mainly cross site scriptings are parts of three types :-


1) Reflected XSS
2) Stored XSS
3) DOM-based XSS




Reflected XSS or  Stored XSS 

It's a most common types of Cross site scripting, attacker payload script has to be part of the request which is send to the website an reflect back in such as a way that the HTTP response includes that the payload.

so, basically reflected cross site scripting are required client site interaction, if user will visit that the vulnerable web page and server will deliver our paylaod to the users browse here, then user stored this but server want any payload,we will deliver our paylaod to the client browser and if client visiting that then there's a client side attacks. sql injection cheatsheet




DOM Based XSS :-

it's a advance type of cross site scripting attack, which be made possibly when the web application client site scripting writes user provides a data into a document objects model. The Most dangerous parts of this attack is client side attacks. how to prevent from sql injection


In the attacker's payload is never sent to the server, this makes it will more to detect web application firewall and security engineers.


so basically let's take example of Reflected, stored and DOM through practially,




This is a website testphp.vulnweb.com


So we will type something in the search box like Hello or HackingTruth.in and hit go button...









so it's a reflected but not stored, it's not storing..
so there may be reflected cross site scripting.



Now. let's click on the signup option and you can try withlogin based application and if i will give a any text like kumaratuljaiswal.in

DOM XSS

if i will give any parameter like hello

paramter=hello


<script></script>


and just executing to the user's context, nor the server side to the sever application, then there may be DOM based...

Example this

prompt.mI/O


this is not sending to the server there are executing to the our context, if i will give anypayload there and it will execute then this is called DOM based scripting. cross site scripting how to prevent


see this








so just only executing on the user's script, nor the server side  nor to the client side.

How to Hunt for XSS ?

• Find a Input parameter, Give any input there and not senitizer then If your input reflect or stored any where there may be XSS.

• Try to execute any javascript code there, if you succeed to execute any javascript then there is a XSS

• Exploitation of XSS.

you'll find a input parameter then give input there , if your input reflect or stored anywhere there may be cross site scripting. cross site scripting example



XSS Cheatsheet Here :- Click Here 



I hope its clear to about The Background concept of cross site scripting :-)

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

Video Tutorial :-  SooN

 

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

How Google Chrome will prevent websites from spying on you

As part of its effort to maintain user-privacy, Google Chrome is building a feature that could ultimately keep websites from spying on you.

The capability, which has been spotted in the developer build of the browser, will keep websites from accessing sensor data of your phone/computer.

For those unaware, this information can be used by websites/advertisers for tracking your movements and more. How Google Chrome will prevent websites from spying on you

Tracking using motion sensor

A few years back, a study revealed that potential attackers can use websites to fetch the motion sensor (accelerometer and gyroscope) data from a visitor's device.

The research claimed that the information mined by websites (via different APIs) could be used to determine your movements, including data like if you are moving, standing still, or traveling by car or train.





Information


Then, this information can be used to build user profiles

The movement information from the sensors can then be combined with web activity to build unique profiles of the visitors and track, surveil and monetize them. MSPoweruser claims that sensor information could even be used to recognize your unique walking gait.

Chrome is already working on a preventive method

Since many users want to protect themselves from being tracked by websites, Google Chrome is testing an option to allow or block censors for websites in the Canary.

These features will be available to both Android and desktop users, giving them the option to choose whether websites should know the speed and light sensors, and if the website starts getting information about things like light sensors in Chrome. There may be danger messages

And while you will be reading this post, this feature will be available in Chrome.

View this post on Instagram

A post shared by Kumar Atul Jaiswal ™ (@h4cking_truth.in_) on Jun 21, 2020 at 9:07pm PDT

And you should not forget to check this post, this is also part of motion in censor motion or light and do not forget to follow

How this feature would work

The feature, enabled by default, can be accessed from the 'Content' section in browser settings.

Meaning, whenever you open a page accessing sensors, the browser will generate an omnibox pop-up, similar to the one that opens for GPS or mic permissions, notifying about the access.

It will have two options: either allow sensor access for the page or block it permanently for that page.



Information


Per-site control only for desktop users

As of now, sensor access for individual websites can only be controlled on the desktop version of Chrome Canary. Android users, as HackingTruth.in(Kumaratuljaiswal) screenshots indicated, will get a single toggle to control access for all websites at once.

When this feature will be available

According to Chromium developers' message board, the feature has been targeted for Chrome 75.

As of now, the browser is on version 73, which means it might be a few months before it debuts in a stable release.

Also, in addition to this feature, Google has also been testing a dark mode for Chrome which would also recolor web pages.

Disable Motion Sensors

Load chrome://settings/content/sensors in the Chrome address bar(Computer/Smartphone).

Doing so opens the Sensor permissions in the browser.

Toggle "Allow sites to use motion and light sensors" to enable or disable Sensors globally.

Disclaimer

 

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.







            
    


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

The health and privacy of the Arogya Setu app is causing a lot of controversy. On Tuesday, Elliot Alderson, a French hacker and cyber security expert, claimed that there were flaws in the security of the sanatorium bridge app, while now Elliot Alderson claimed to have hacked the sanatorium bridge app. Alderson claimed in a tweet that the health of five people in the Prime Minister's Office is not well. Aarogya Setu app hacked, hacker Elliot Alderson said - five people are ill in PMO

 

What did Elliot Alderson claim?

Elliott Alderson has tweeted that the Arogya Setu app is an open source app. He has also claimed that the health of five people in the PMO office is bad and they got this information from the Arogya Setu app. Alderson has also claimed that 2 people are unwell at the headquarters of the Indian Army, one man in
Parliament is infected with Corona and three people in the Interior Ministry.

This is the issues. I will give a technical explanation later today in an article

— Elliot Alderson (@fs0c131y) May 6, 2020

Explain that Union Minister Ravi Shankar Prasad has termed the opposition's questions and allegations on the Arogya Setu App as baseless. Union IT Minister Prasad said that this app is very strong in terms of data and privacy protection. Prasad said, 'This is India's technological innovation and is effective in fighting Covid-19.





Congress MP Rahul Gandhi also alleged a few days ago that the 'Arogya Setu' app is a state-of-the-art surveillance system, which is causing serious concerns about privacy and data security. Rahul gandhi said in the tweet that the Arogya Setu is a state-of-the-art monitoring system that has been outsourced to a private operator and has no institutional investigation.

And yes, yesterday:
- 5 people felt unwell at the PMO office
- 2 unwell at the Indian Army Headquarters
- 1 infected people at the Indian parliament
- 3 infected at the Home Office

Should I continue?

— Elliot Alderson (@fs0c131y) May 6, 2020

He said that this is causing serious concerns about data security and privacy. Technology can help us stay safe but we should not be afraid to monitor them without the consent of the citizens.


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)