2017-05-09 | Party like it’s patch Tuesday, Yahoo’s $2M bounties, and Mudge is on the move

Tuesday, May 9

Live it up. Patch it up.

TOP STORY

MSFT patched the critical RCE in Windows Malware Scanner. It’s never good when the cop becomes the criminal (Microsoft's own antivirus software made Windows 7, 8.1, RT and 10 computers more vulnerable). Click that magical “Check Update” button now. Read more from Hacker News and then there’s also this.

HACKTIVITY

HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter [18 upvotes] - $560 bounty for this report to Twitter by @zlz. The image_src parameter accepting images from any arbitrary host, enabling attackers to supply image destinations that respond with a "HTTP 401 Unauthorized" response.
Второй способ обхода 2FA [5 upvotes] - $1,050 bounty for this report to VK.com by @povargek. Cool to see reports in other languages, in this case, Russian! Also, reminder any company can disclose reports with limited and/or redacted information. Disclosure FTW!

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

Booya. Yahoo’s paid out over $2M in bug bounties.
Tabletop scenarios help identify areas of unknown risk
Hacker’s win, bugs lose - TEDX talk by @rojanrijal, teen who hacked the Pentagon
Spies like us: DataTribe
ITL Bulletin for May 2017 and NIST Special Publication 1800-8 (securing wireless infusion pumps)
Mudge on the move

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

Tabletop scenarios are an efficient means of communicating risk. They can help clarify requirements, unify disparate teams on specific risk, and provide a citable inspiration for the work we do and the controls we build.

@Magoo

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.