Hacking, AppSec, and Bug Bounty newsletter
2017-05-30 | TravelMode by 1Password, 2FA’s achilles heel, and Vape pen exploits
Tuesday, May 30
Welcome to the unofficial start of summer!
Take note, Jetsetters: 1Password has a new “TravelMode” to keep your data safe across international borders. Inspired by Basecamp. Scott Piper has some thoughts on this as well (see “border crossings and travelmode”).
Reflected XSS in <any>.myshopify.com through theme preview [43 upvotes] - $2,000 bounty for this report to Shopify by @zombiehelp54. Reflected XSS that could be triggered on the storefront of any Shopify store.
IDOR in editing courses [16 upvotes] - $300 bounty for this report to Maximum by @kieran. See the May 22nd comment by @bamie - upstream bug to 3rd party, issue triaged and fixed, hacker bountied, everyone happy.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Ethical hackers can help protect our data from bad actors by doing what they do best: hacking. That's why I introduced the Hack @DHSgov Act - @SenatorHassan
OTHER ARTICLES WE’RE READING
Magic file name brings up “blue screen of death”
UAC was Fundamentally Broken from Day 1 claims researcher
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
I consider reading HackerOne activity feeds a good complementary reading to taking the security class at MIT