Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Password Reset vulnerability in www.facebook.com, which can be exploited by an attacker to bypass certain security restrictions. In normal circumstances, an authenticated Facebook user is required to enter his/her current password on the change password page to prevent an unauthorized person from changing the password without the user's knowledge. However, an attacker can change/reset a user's password without knowing the user's current password by accessing this URL directly: https://www.facebook.com/hacked. After that, the page will be redirected to https://www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked Now, the attacker can click "Continue" to change/reset the user's password.
Step 3: Enter "New Password" and "Confirm Password" to change/reset the password.
Conclusion This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Blind SQL Injection vulnerability in careers.microsoft.com, which can be exploited by an attacker to conduct Blind SQL injection attacks.
Proof of concept URLs which will cause a time delay of 25 seconds are provided below:
Conclusion This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Conclusion This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Conclusion This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in connect.microsoft.com, which can be exploited by an attacker to conduct XSS attacks.
Proof of concept Tested in IE9 with XSS filter enabled ============================ http://connect.microsoft.com/sqlserver/searchresults.aspx?UserHandle=%2522%253E%2527%253E%253Cscript%2520%253Ealert%2528/XSS by Sow Ching Shiong/%2529%253B%253C%252Fscript%2520%253E
Conclusion This vulnerability has been confirmed and patched by Microsoft Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered an Arbitrary File Upload vulnerability in attachments.facebook.com, which can be exploited by an attacker to compromise a victim's computer system.
Conclusion This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report.
Description Sow Ching Shiong, an independent vulnerability researcher has discovered a Cross-Site Scripting (XSS) vulnerability in twitter.com, which can be exploited by an attacker to conduct XSS attacks.
Proof of concept https://twitter.com/intent/follow?original_referer=javascript:alert(document.cookie);®ion=follow_link&screen_name=twitterapi&source=followbutton&variant=2.0
Conclusion This vulnerability has been confirmed and patched by Twitter Security Team. I would like to thank them for their quick response to my report.