Monday, April 17
Apparently holiday weekends bring big data dumps and big bug disclosures. Enjoy and make it a great week!
TODAY’S TOP STORY
What you need to know about Shadow Brokers latest dump: They’re (probably) Russian, the exploits have been fixed or denied by all companies, Fuzzbunch is NSA’s metasploit, and Shadow Brokers is likely in reference to a character from the Mass Effect series.
HACKTIVITY
Remote Code Execution on Git.imgur-dev.com [50 upvotes] - $2,500 bounty for this report to Imgur by @orange. Rails static key leads to RCE vulnerability.
Multiple DOMXSS on Amplify Web Player [45 upvotes] - $2,520 for this report to Twitter by @filedescriptor. Javascript: attacker vector in vine iframe player.
You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.
TWEET OF THE DAY
FUZZBUNCH IS NSA METASPLOIT!!!! I LOVE IT! THANK YOU @shadowbrokerss - @hackerfantastic
OTHER ARTICLES WE’RE READING
Internet: Whoah, MSFT 0-day. Microsoft: It’s fixed. Internet: You sure about that? Microsoft: Yes
Motherboard asks, Why Did Microsoft Wait Six Months To Patch a Critical Word Zero-Day?
Q&A with the head of the Israel Defense Forces Cyber Division, his first interview according to Politico.
You can stop the engine of a moving vehicle by hacking into Bosch Drivelog ODB-II dongle.
Publicity stunt or a security test? Popular YouTubers pwned.
Hack yourself first, interview with Troy Hunt. “Developers don’t really think too deeply about security”. Also, Troy created havibeenpwned.com.
Githup repo with the files from Shadow Brokers exploit: EQGRP_Lost_in_Translation
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Exclusive zero-days don't exist.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.