Hacking, AppSec, and Bug Bounty newsletter
2017-04-10 | Move over Mirai, Word 0-day, and hacking for charity
Monday, April 10
TODAY’S TOP STORY
The scary state of IoT security. Wifi modems sending admin logins via sms, ovens that won’t turn off, and humidifiers that leak because of expired certs. And botnets. But wait, there’s more: Move over Mirai: PDoS attack bots are randomly destroying IoT devices. Here’s a video of the helpless devices being maliciously attacked
Remote Command Execution on a DoD website [5 upvotes] for this report to U.S. Dept Of Defense by @wrench. Specially formatted URL led to RCE. These reports are light on info, but good example of limited public disclosure. Summaries are good to read.
[app.informaticaondemand.com] XXE [19 upvotes] - swag bounty for this report to Informatica by @yarbabin. Better late than never, many months before fix and public disclosure but simple exploit POC and fix pushed is for the good of the internet.
You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.
TWEET OF THE DAY
The TP-Link M5350 has a XSS exploit via text message. Responds with admin password in clear text. Lovely. - @terrajobst
OTHER ARTICLES WE’RE READING
Global DDoS threat landscape the economic aspect of DDoS as criminal activity.
As if college isn’t expense enough - FAFSA application exploited
How hackers became a new breed of bounty hunters in cybersecurity. Hacker power [insert fist bump emoji here]
At least it’s not “Oauth”. Intel Security is McAfee again
Yo hackers, check out this list of hack tools curated by Craig Smith
Disable telnet and use SSH instead CVE-2017-3881
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Now my rogue PCI-E device can inject DXE phase UEFI drivers into the victim machine boot sequence while IOMMU is still not configured by OS
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.