Thursday, April 20
Happy Thursday. Make it a great day!
TOP STORY
Kreb's investigates diet pill spam originating from a DoD contractor. Employee clicked on some boobytrapped JavaScript links snarfing credentials on his machine and voila, a spammer has a new set of ‘legit’ email servers from a ‘legit’ company. If you get an email from Dan@gtacs[dot]com hocking diet pills, ignore. Or, of course, you could always handle it like James Veitch.
HACKTIVITY
Missing Server Side Rate Limiting can Lead to VK Account Take over [11 upvotes] - $400 bounty for this report to VK.com from @mandy1394. Private conversation details and POC but getting some upvote love. Love this quick summary by VK: “Insufficient flood control”. Brevity and clarity, FTW.
User Information Disclosure via REST API [4 upvotes] - no bounty for this report to ownCloud from @alykode. This is the internet - hackers are not always motivated by the almighty doubloon. Kudos to @alykode for reporting the issue and ownCloud for communicating explicitly with the researcher and disclosing the vulnerability report.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Guide to computer viruses. - @ITSecurityguard
OTHER ARTICLES WE’RE READING
Lose your 2fa, securely regain access to your GitHub account. GitHub is open sourcing their delegated account recovery implementation
China Daily reports on how bounty platforms use white-hat hackers (featuring H1’s, Ning Wang)
Hak5’s Darren Kitchen goes WiFi sniffing across the globe. Because, captive portals are fun.
Dr. Dre would never do this
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
General, the machine has locked us out. It's sending random numbers to the silos.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.