Hacking, AppSec, and Bug Bounty newsletter
2017-05-18 | PATCH Act, Mar-a-Vuln, and raspberry pi teddy bear hack
Thursday, May 18
Goedemorgen. Early posts this week as we write #zerodaily from Amsterdam. Have a great day!
PATCH Act would create a vulnerability equities review board for USG held vulns. This would codify and strengthen the existing Vulnerabilities Equities Process (VEP) that was established by the Obama Administration. Oh, Washington and their acronyms.
password reset token leaking allowed for ATO of an Uber account [35 upvotes] - $10,000 bounty for this report to Uber by @procode701. With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request.
Inti De Ceukelaire had himself a day yesterday - $10,500 in bounties!
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
OTHER ARTICLES WE’RE READING
Scholarship competition for kids to get a free trip to Black Hat.
Cyber deals, deals, deals
This week’s Threatwire, via Hak5
11-year old hacker Reuben Paul hacked into his teddy bear with a raspberry pi.
Facebook bug - determine a user from a private phone number
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
If it’s facing the external web or can be easily accessed from the internal network, you should assume everyone can access it.