Hacking, AppSec, and Bug Bounty newsletter
2017-05-31 | HTTPS by default, Malware as a service, and AES-GCM-SIV
Wednesday, May 31
Wednesday’s are for work! Make it a productive day.
HTTPS by default. Recent converters are NASA and The Verge according to the latest Feisty Duck Newsletter. Ars Technica made the switch in January. Stack Overflow’s Nick Carver shares that it’s literally like “flipping a switch” but it took years of work leading up to that point. A recent study proved that HTTPS has been effective in Wikipedia’s effort to fight government censorship. For the best resource of information check out Scott Helme who has also created a free reporting service to help companies with their transfer to encrypted traffic.
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" [47 upvotes] - $3,000 bounty for this report to Shopify by @bored-engineer. That pesky 'windows.postmessage'. Reminds us of a report by a certain Swedish hacker that was submitted to a popular messaging app. And, full disclosure, this report by Luke Young is so beautiful it makes us tear up just a little bit.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
The number of sites in the Alexa Top 1 Million deploying HPKP recently jumped from 187 to 6,616! A 3,438% increase! @Scott_Helme
OTHER ARTICLES WE’RE READING
RFID Hacking with The Proxmark 3. Convert your building access card into a little key fob and more
Malware as a service via Shadow Brokers. Starting at 100 Zcash per month.
Pick up The Hardware Hacker book by bunnie for your summer reading
AES-GCM-SIV, “this month in cryptography” by ImperialViolet
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
The Shadow Brokers "are foreign intelligence, and the continued requests for money are all geared towards plausible deniability that they are intel.”