Apple can Request Remote Access to the Device [ Privacy Research ]

-
Hello everyone,
My name is Ismail Tasdelen. As a security researcher. I have found that Apple can remotely access all of its products.
I gave my mom the old apple iphone 5s model phone to use. And this device is not connected to icloud. No icloud sessions are active. Let’s start talking.
Step by step:
{ https://developer.apple.com/account/ }In order to search for the vulnerability I wanted to access this site, then came the notification sound from the next room. My mother received a confirmation request on her phone. This is very strange because I’ve format the phone and icloud accounts were not active.
Mom phone [iPhone5s] Screenshot :



As this device shows, the icloud session is not active.
  1. We log in from the login panel below with your Apple ID.

login panel page
2. I have 2-step verification as follows. He wants a six-digit verification code from us.

verification page
3. We are entering the 6 digit verification code from the notification phone. And we continue to admit it.
If I didn’t have the phone. There is a second option. I can receive a verification request through a phone number defined in my Apple ID.
{*} The biggest problem here is that not although the apple ID is defined, the apple can access this device.

as we have seen, we have successfully passed the verification phase.

{ https://developer.apple.com/account/#/welcome} web application user dashboard page
Notes: This is not exactly a security vulnerability. But I think Apple company can provide remote access to devices.
This is the end of my blog! Thank you for taking the time to read (:

Bu blogdaki popüler yayınlar

Windows LNK File Analysis in Forensic System Reviews

-
Resim
The concept of Recent Files is used to describe the most recently accessed files by the user, and in a forensics review, determining which applications were viewed by the user most recently and which documents were viewed could be of critical importance in the event resolution. In a Windows operating system, a shortcut file for files opened by the user is created under the Recent directory in the profile directory associated with that user’s account. These files can be analyzed to determine which files the user last accessed. In particular, even if files that are deleted or wiped by the user cannot be accessed, the shortcut files associated with them can be accessed and retrieved information about them. Where LNK extension link files are stored varies depending on the operating system. These files : Windows XP : \Documents and Settings\UserName\Recent \Documents and Settings\UserName\Application Data\Microsoft\Office\Recent Windows Vista and Windows 7 : ...
Devamı

SQL Injection Payload List

-
Resim
In this section, we’ll explain what SQL injection is, describe some common examples, explain how to find and exploit various kinds of SQL injection vulnerabilities, and summarize how to prevent SQL injection. What is SQL injection (SQLi)? SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack. SQL Injection Type : In-band SQLi (Classic SQLi) :  In-band SQL Injection is the most co...
Devamı