ZERO DAILY

Hacking, AppSec, and Bug Bounty newsletter

2017-04-20 | Diet pill spam, Guide to computer viruses, and Dr. Dre would never do this

Thursday, April 20

Happy Thursday. Make it a great day! 

TOP STORY

  • Kreb's investigates diet pill spam originating from a DoD contractor. Employee clicked on some boobytrapped JavaScript links snarfing credentials on his machine and voila, a spammer has a new set of ‘legit’ email servers from a ‘legit’ company. If you get an email from Dan@gtacs[dot]com hocking diet pills, ignore. Or, of course, you could always handle it like James Veitch.

HACKTIVITY

  • Missing Server Side Rate Limiting can Lead to VK Account Take over [11 upvotes] - $400 bounty for this report to VK.com from @mandy1394. Private conversation details and POC but getting some upvote love. Love this quick summary by VK: “Insufficient flood control”. Brevity and clarity, FTW.  

  • User Information Disclosure via REST API [4 upvotes] - no bounty for this report to ownCloud from @alykode. This is the internet - hackers are not always motivated by the almighty doubloon. Kudos to @alykode for reporting the issue and ownCloud for communicating explicitly with the researcher and disclosing the vulnerability report.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.

TWEET OF THE DAY

OTHER ARTICLES WE’RE READING

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

General, the machine has locked us out. It's sending random numbers to the silos.

McKittrick