ZERO DAILY

Hacking, AppSec, and Bug Bounty newsletter

2017-04-10 | Move over Mirai, Word 0-day, and hacking for charity

Monday, April 10

Goedemorgen!

TODAY’S TOP STORY

HACKTIVITY

  • Remote Command Execution on a DoD website [5 upvotes] for this report to U.S. Dept Of Defense by @wrench. Specially formatted URL led to RCE. These reports are light on info, but good example of limited public disclosure. Summaries are good to read.

  • [app.informaticaondemand.com] XXE [19 upvotes] - swag bounty for this report to Informatica by @yarbabin. Better late than never, many months before fix and public disclosure but simple exploit POC and fix pushed is for the good of the internet.

You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.

TWEET OF THE DAY

  • The TP-Link M5350 has a XSS exploit via text message. Responds with admin password in clear text. Lovely. - @terrajobst

OTHER ARTICLES WE’RE READING

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Now my rogue PCI-E device can inject DXE phase UEFI drivers into the victim machine boot sequence while IOMMU is still not configured by OS

Dmytro Oleksiuk


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.