2017-04-20 | Diet pill spam, Guide to computer viruses, and Dr. Dre would never do this

Thursday, April 20

Happy Thursday. Make it a great day!

TOP STORY

Kreb's investigates diet pill spam originating from a DoD contractor. Employee clicked on some boobytrapped JavaScript links snarfing credentials on his machine and voila, a spammer has a new set of ‘legit’ email servers from a ‘legit’ company. If you get an email from Dan@gtacs[dot]com hocking diet pills, ignore. Or, of course, you could always handle it like James Veitch.

HACKTIVITY

Missing Server Side Rate Limiting can Lead to VK Account Take over [11 upvotes] - $400 bounty for this report to VK.com from @mandy1394. Private conversation details and POC but getting some upvote love. Love this quick summary by VK: “Insufficient flood control”. Brevity and clarity, FTW.
User Information Disclosure via REST API [4 upvotes] - no bounty for this report to ownCloud from @alykode. This is the internet - hackers are not always motivated by the almighty doubloon. Kudos to @alykode for reporting the issue and ownCloud for communicating explicitly with the researcher and disclosing the vulnerability report.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.

TWEET OF THE DAY

Guide to computer viruses. - @ITSecurityguard

OTHER ARTICLES WE’RE READING

Lose your 2fa, securely regain access to your GitHub account. GitHub is open sourcing their delegated account recovery implementation
China Daily reports on how bounty platforms use white-hat hackers (featuring H1’s, Ning Wang)
Hak5’s Darren Kitchen goes WiFi sniffing across the globe. Because, captive portals are fun.
Dr. Dre would never do this

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

General, the machine has locked us out. It's sending random numbers to the silos.

McKittrick

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.