Hacking, AppSec, and Bug Bounty newsletter
2017-04-05 | Autokey cipher, 2FA bypass with Burp, and OMG Oauth?
Wednesday, April 5, 2017
Happy birthday Blaise de Vigenère!
TODAY’S TOP STORY
Tim Berners-Lee won the AM Turing award but he’s not happy. See why in the QZ article: All the things wrong with the web today, according to its inventor. Three things in particular got him in a twist: Advertising on the web, social networks abandonment of truth, and our not so private personal data. Don’t worry, he’s got some solid ideas on what to do about it.
Rate limiting of incorrect Two Factor Authentication codes not enforced [19 upvotes] - $768 bounty for this report to Trello by @kartik1202. Hacker used Burp Suite Intruder attacker to get the code to registered mobile number.
[Android] XSS via start ContentActivity [17 upvotes] - $150 bounty for this report to Quora by @bobrov. Sergey makes an appearance in our top reports for the second day in a row. This report stands out because of its detail (including screenshots) and mobile focus.
As always, you can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.
OTHER ARTICLES WE’RE READING
Latest from Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1)
Does noise effectively prevent covert channels? Blast Adele and read Hello from the other side: SSH over Robust Cache Covert Channels in the Cloud. Researchers achieve covert channel transmission rates of more than 45 KBps on Amazon EC2, which is 3 orders of magnitude higher than previous covert channels demonstrated on Amazon EC2.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good emails to themselves - forward to your friends and colleagues for maximum enjoyment. Want to see who else runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
“People in the same family who live in different cities need to be able to communicate privately without it being intercepted. Really, it is a human right. You can’t mess with human rights like that without massive unexpected and very disastrous consequences.”
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.