2017-04-12| PINlogger.js, Project Zero wifi exploit part deux, and Jenkins security update

Wednesday, April 12

Hack the planet!

TODAY’S TOP STORY

If you tilt it juuust right… boom, passwords appear! No, really. PINs and passwords can be stolen just by watching the way a phone tilts. PINlogger.js was tested on 50 phones and by the 3rd attempt achieved 99.5% accuracy to guess a user’s mobile PIN. It works by listening to the motion and orientation sensor streams of the mobile device, analysing these streams, and inferring the user’s PIN using an artificial neural network.

HACKTIVITY

Login bypass on travel.██████████ aka "Harvest Spring Summit 2017" [11 upvotes] - swag bounty for this report to Harvest by @michiel. Major kudos to both reporter (ahem, HackerOne co-founder Michiel Prins) and the company - they fixed a bug while at their Summit! Work hard, play hard everyone. Also, Harvest recognized the researcher with some cool swag, even though the bug was out of scope.
Client can redirect payment, causing payment discrepancy between Harvest and PayPal [15 upvotes] - $400 bounty for this report to Harvest by @jobert. Yes, it’s a Dutch domination on Zero Daily’s hacktivity highlights today - this report was by HackerOne co-founder Jobert Abma. Leading by example, hacking the planet. Beautiful report and Poc, as always, Jobert.

You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.

TWEET OF THE DAY

Trump at CEO meeting today, per pool report - @ericgeller

OTHER ARTICLES WE’RE READING

Google’s Project Zero posted a follow-up to their wifi exploit, Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)
Don’t tell Mr. Robot, hackers can be a force for corporate good. Correction, hackers are already a force for corporate good. Glad we all agree.
If you’re using Jenkins, you need to read this: Jenkins Security Advisory
Applause to Finnish Insurance company, LocalTapiola on coordinating with Adobe on a recent fix. Adobe would like to thank LocalTapiola Bug Bounty Program and Avaus Marketing Innovations for reporting this issue (CVE-2017-2989) and for working with Adobe to help protect our customers.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

FYI man, alright. You could sit at home, and do like absolutely nothing, and your name goes through like 17 computers a day. 1984? Yeah right, man. That's a typo. Orwell is here now. He's livin' large. We have no names, man. No names. We are nameless!

20th Century Philosopher, Cereal Killer

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.