Hacking, AppSec, and Bug Bounty newsletter
2017-05-23 | Bechler’s 13, tweet as any user, and biometric auth fail
Tuesday, May 23
Have an amazing day!
Survey of #javadeser RCE vulns/exploits across 13 different Java serialization technologies by Moritz Bechler. Full paper as well as payload generation tools are available at: https://www.github.com/mbechler/marshalsec/.
[URGENT] Opportunity to publish tweets on any twitters account [55 upvotes] - $7,560 bounty for this report to Twitter by @kedrisch. Flaw in the handling of Twitter Ads Studio requests would allow an attacker to tweet as any user. Technical details.
A HackerOne employee's GitHub personal access token exposed in Travis CI build logs [32 upvotes] - $2,000 bounty for this report to HackerOne. Hey, nobody’s perfect, that’s why bug bounties!
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
The 5 types of stock footage you’ll see on the news after a cyberattack - @vicenews
OTHER ARTICLES WE’RE READING
MIT cyber research teams get $1.5M grant
Modernizing digital trade … prioritize cyber in NAFTA
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
Understanding the nuance of cybersecurity risk in our critical infrastructure will help policymakers assure that the proper incentives are in place to reduce the threat of catastrophic attacks.