ZERO DAILY

Hacking, AppSec, and Bug Bounty newsletter

2017-05-17 | RB455, The Wyden way, and IoT hall of shame

Wednesday, May 17

Greetings from Amsterdam! Gearing up for h1-3120 (ala h1-415), TNW, and Wired Money this week.

TOP STORY

  • RB455 is up, and it’s all about your garden variety ransomware taking over the world. “North Korea is ransomwaring things with NSA exploits stolen by the Russians and is asking for made up money (aka cryptocurrency)”. Crazy world we’re living in that that statement has any plausibility. What if this was an actual 0-day? Was this a fire drill? Patrick and Adam ask these questions and dissect all things WannaCry.

HACKTIVITY

  • Reflected XSS in error pages (NC-SA-2017-008) [23 upvotes] - $450 bounty for this report to Nextcloud by @sinkmanu. Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.

  • Reflected XSS in login redirection module [8 upvotes]- $250 bounty for this report to PornHub by @aghora. The researcher discovered an XSS in the redirect parameter of the front controller which executes upon redirection.

You’ll see a LOT more of hacktivity on our site: program profiles have been hacktivated and hacktivity is now in the top nav on marketing site. Enjoy.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

 

We the tech industry have to solve this because you can’t expect the one IT guy at the hospital to fix it. Chromebooks for all hospitals could be the cry.

Risky Business