- 12 May 2014
HackLab 2014 - The JaegerBomber
An experimental project called the JagerBomber attempted to create a quadcopter controlled by an Android phone using OTG functionality and an Arduino. The team aimed to develop a drone capable of navigating and potentially delivering alcohol, but technical challenges prevented a successful launch. The project explored Android's capabilities for serial communication and drone control, demonstrating complex technical integration challenges.
- 12 May 2014
HackLab 2014
HackLab 2014 was an internal hacking event featuring three technical projects. Projects included building a quadcopter, developing a mysterious hardware project, and exploring hard drive firmware hacking. Participants collaborated in the Basingstoke offices, fueled by pizza and caffeine to tackle innovative technical challenges.
-
Alex Plaskett - 14 Apr 2014
Windows Phone 8 Application Security Slides Syscan 2014
MWR researchers Alex Plaskett and Nick Walker presented slides at Syscan 2014 analyzing Windows Phone 8 application security. The presentation covered novel vulnerabilities in mobile app development. Slides provide programmatic guidance for developers to improve Windows Phone 8 application security.
- Alex Plaskett
- 14 Apr 2014
Windows Phone 8 Application Security Whitepaper Syscan 2014
A whitepaper on Windows Phone 8 application security was presented at Syscan 2014. The research identified common developer mistakes that introduce security vulnerabilities in Windows Phone 8 applications. The whitepaper provides guidance on detecting and mitigating specific application security weaknesses in the platform.
- 11 Apr 2014
Laravel cookie forgery, decryption, and RCE
A critical vulnerability in Laravel's encryption API allowed attackers to forge session cookies and impersonate users. The flaw enabled potential remote code execution by exploiting weaknesses in MAC verification, IV handling, and PHP object deserialization. Attackers could manipulate cookies to authenticate as any user and potentially inject malicious code through serialized PHP objects.
- 11 Apr 2014
WordPress auth cookie forgery
A vulnerability in WordPress's authentication cookie validation allows potential cookie forgery through PHP type juggling. The flaw enables attackers to bypass authentication by exploiting non-strict comparison methods in the cookie verification code. Two attack vectors were identified: MAC verification bypass and potential timing attacks to determine expected MAC values.
- 8 Apr 2014
HackFu Challenge 2014
HackFu 2014 is a prestigious hacking event offering 10 invitations to cybersecurity professionals. The challenge involves solving puzzles and tracking down an enemy agent named Ilichy. Participants can win entry to a multi-day hacking competition in the UK, with potential prizes including event admission, accommodation, and travel support.
- 20 Dec 2013
Google AdMob Ad Library - Arbitrary Intent Activity Invocation
A vulnerability was discovered in the Google AdMob SDK for Android that allows attackers to manipulate Intent Activities by injecting JavaScript into a WebView. The vulnerability enables arbitrary activity invocation by controlling multiple parameters passed to the 'startActivity' method. Potential remote exploitation can occur by targeting exposed activities in other Android applications.
- John Fitzpatrick Luke Jennings
- 20 Dec 2013
Hack the Gibson - Deepsec Edition
A presentation at Deepsec 2013 explored security vulnerabilities in supercomputer technologies. John Fitzpatrick and Luke Jennings from MWR discussed potential attacks against common supercomputer systems. The presentation slides are available for download, providing insights into supercomputer security challenges.
- 20 Dec 2013
HackFu 2013: The Movie
A teaser video for HackFu 2013 was released, presenting a puzzle for viewers to solve without hacking or brute force methods. The video hints at the upcoming HackFu 2014 event scheduled for June 26-28, 2014. Participants are challenged to solve the puzzle while allowing others the opportunity to do so independently.
- 20 Dec 2013
PontiFlex Ad Library - Remote JavaScript Command Execution
A critical vulnerability was discovered in the PontiFlex ad library for Android that enables remote JavaScript command execution. The flaw allows attackers to download and execute arbitrary code, perform directory traversal, and potentially steal files from mobile applications through manipulated WebView JavaScript interfaces. The vulnerability impacts Android apps using the PontiFlex ad library, potentially exposing millions of users to remote code execution risks.
- 29 Nov 2013
Advanced Persistent Timelords
A thought experiment explores cybersecurity challenges if attackers could manipulate time. The analysis examines potential vulnerabilities in physical access, document security, personnel management, and digital systems under a hypothetical temporal manipulation scenario. The exploration demonstrates how traditional security controls would break down if an attacker could jump to different points in time or pause time itself.