Hi. đź‘‹

My name is Naz Markuta and I work in cyber security. This website serves as a personal blog where I share my experiences and occasional guides in various topics (mostly in IT). I’ve tried to keep this blog clean and purely content focused.

Exploiting a JDBC deserialization vulnerability in JSCAPE MFT Server

Background This research project started back in July 2023, at around the same time when a critical vulnerability in a popular file-sharing software called MoveIt Transfer was disclosed. More details about that particular vulnerability can be found here and here. I was curious whether other similar file-sharing software had security issues. And so a few Google searches later, I found a candidate, a software for enterprises called MFT Server by JSCAPE....

22 March, 2024 Â· 10 min Â· Naz Markuta

Hacking Amazon's eero 6 (part 1)

This is the first in the series of hacking Amazon’s eero 6 (3rd generation) Wi-Fi device. In this post I will be focusing on device disassembly, identifying pins, brute forcing JTAG, and reading serial output. About Eero is a San Francisco-based wireless Internet company founded in 2015. It is known for making household consumer Wi-Fi products. The company was acquired by Amazon in 2019 for $97 million. Device Specification eero 6 (3rd gen 2020) device specification....

15 June, 2023 Â· 25 min Â· Naz Markuta

How to block .zip domains with pfSense

A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a “PiHole” alternative. pfBlocker-NG is capable of much much more but won’t be covered in this blog. Why is .zip TLD a problem? It’s simple really, Phishing. Whether it’s abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea....

25 May, 2023 Â· 3 min Â· Naz Markuta

PayPal and Passkeys issues since launch

PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....

25 May, 2023 Â· 3 min Â· Naz Markuta

Getting root on an Android 12 emulated device with Google Services

This is a short blog post on how you can get root access on a Android 12 emulated device with Google services, using a tool (script) called rootAVD by newbit1. I also share a few recommendations which are helpful during mobile analysis. Android Studio For mobile analysis I generally use my Google Pixel 3a device. However, sometimes I will try to avoid it if I can, especially when I’m only curious about an app’s network traffic or API endpoints....

15 April, 2023 Â· 2 min Â· Naz Markuta