Hacking, AppSec, and Bug Bounty newsletter
2017-05-15 | WannaCry, Twitter IDOR, and cyber insurance lawsuits
Monday, May 15
Welcome to CyberAttack Monday (may the rest of your week be better than today)!
Holy ransomware batman: WannaCry targets span the globe: NHS hospitals across England hit by large-scale cyber-attack and an accidental hero but new variants detected. This is a plot that reads like a bad cyber spy novel. Good news though, Microsoft has guidance for the WannayCrypt attacks (update your ish). And don’t say we didn’t warn you this could happen.
Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks [29 upvotes] - $512 bounty for this report to Discourse by @Ziot. Manually modifying the tar archive and adding a symlink, you are able to read any arbitrary file that the user has permission to.
[IDOR][translate.twitter.com] Opportunity to change any comment at the forum [27 upvotes] - $1,120 bounty for this report to Twitter by @kedrisch. Reported, fixed, and bountied 6 months ago but publicly disclosed over the weekend (playbook for other co’s looking to leverage benefit of public disclosure - statutory period of 6-months? Just a thought).
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Photos of WCry-infected computers at the Russian Interior Ministry are revealing some interesting folders in screenshots. - @kevinrothrock
OTHER ARTICLES WE’RE READING
Reversing the ransomware: Matt Suiche’s technical writeup on Medium.
The tech giants have huge resources, but bounty hunters are better placed to discover many security flaws.
Law firm purchases cyber insurance. Becomes victim to ransomware. Sues cyber insurance provider for 3-months of lost business.
United Airlines cockpit codes exposed.
Perry Metzger has some great advice for your friends that don’t know much about computers.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
“...you know that a good, long session of weeping can often make you feel better, even if your circumstances have not changed one bit.”
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.