Update: Fixed proof of concept link. Background This research project started back in July 2023, at around the same time when a critical vulnerability in a popular file-sharing software called MoveIt Transfer was disclosed. More details about that particular vulnerability can be found here and here. I was curious and looked for other similar file-sharing software with security issues. And so a few Google searches later, I found a candidate, a software for enterprises called MFT Server by JSCAPE....

This is the first in the series of hacking Amazon’s eero 6 (3rd generation) Wi-Fi device. In this post I will be focusing on device disassembly, identifying pins, brute forcing JTAG, and reading serial output. The second part of the blog can be found: https://markuta.com/eero-6-hacking-part-2/ About Eero is a San Francisco-based wireless Internet company founded in 2015. It is known for making household consumer Wi-Fi products. The company was acquired by Amazon in 2019 for $97 million....

A short guide on how to block the entire .zip TLD using pfSense. In particular using a package called pfBlocker-NG, which can be thought of as a “PiHole” alternative. pfBlocker-NG is capable of much much more but won’t be covered in this blog. Why is .zip TLD a problem? It’s simple really, Phishing. Whether it’s abusing a HTTP URI scheme or using special unicode characters, having a .zip TLD which has always been attributed to the compression file extension is just a bad idea....

PayPal’s Help Center - Technical Support post shows how Passkeys work on its platform and how users can add new security devices, this covers both iOS and Android but also desktop systems too. It also goes into more detail on what to do when you’ve lost your device, and much more. TL;DR: As of 26th May 2023, PayPal only supports external security “Passkeys” keys (such as Yubikeys) for two-factor authentication. Passkeys on mobile devices like iOS or Android still do NOT work, even though you can register one....

This is a short blog post on how you can get root access on a Android 12 emulated device with Google services, using a tool (script) called rootAVD by newbit1. I also share a few recommendations which are helpful during mobile analysis. Android Studio For mobile analysis I generally use my Google Pixel 3a device. However, sometimes I will try to avoid it if I can, especially when I’m only curious about an app’s network traffic or API endpoints....