2017-04-03 | DOMXSS, math.js vuln, and Germany’s new cyber command

Monday, April 3, 2017

Sint Maarten is beautiful this time of year. While those lucky guys and gals at Kaspersky’s SAS 2017 summit are slumming it in the Caribbean, we get to do some real work this week. Make it a good one!

TODAY’S TOP STORY

Great blog about a vulnerability in math.js, an open source library: How we exploited a remote code execution vulnerability in math.js. Key intuition that led to vuln discovery? ‘Function’ can be accessed indirectly as the constructor of an existing function. The structure of the post is great: Discover, Exploit, Report [then post blog].

HACKTIVITY

DOMXSS in Tweetdeck [26 upvotes] - $1,120 bounty for this report to Twitter by @filedescriptor. Details, POC, Fix. Great formula. (And yes, apparently Tweetdeck still exists).

As always, you can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

Thought piece: FBI Arrests Hacker Who Hacked No One
Black box discovery of memory corruption RCE on box.com. Check out the sidenote’s comp to Dropbox. Incident response matters.
EFF backpedals on Verizon post. UPDATE: Verizon Software on Android Phones.
I Know Why You Went to the Clinic - Research paper on HTTPS Traffic Analysis.
Nouve warefare. Germany creates separate military wing for cyber command. This quote stood out: “The cyber command will be launched next week with an initial staff of 260 which is expected to grow to 14,500 by 2021.”
Kaspersky’s Security Analyst Summit is off and running in Sint Maarten and it’s all tron. Follow along in envy at #TheSAS2017 hashtag on twitter.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good emails to themselves - forward to your friends and colleagues for maximum enjoyment. Want to see who else runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

“Really stay away from the fear, and uncertainty and doubt on the business. Don’t go FUD. Really what you want to do is talk about making your customers love the experience while at the same time feeling good about their privacy and security can actually be a market differentiator.”

Theresa Payton, Fortalice CEO, former CIO at The White House

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.