Hacking, AppSec, and Bug Bounty newsletter

2017-06-23 | Airbnb OAuth tokens theft, Bug hunting with Burp Infiltrator, and Yahoo’s not-so-secret keys

Friday, June 23


Today we’re going rogue from our usual structure and highlighting three blog posts by researchers. Let’s call this PoC Fridays. Like it? Let us know what you think. Now for the good stuff:

  1. Authentication bypass on Airbnb via OAuth tokens theft by @arneswinnen. @Yaworsk tweeted “Interested in the thought process of someone who wins an @Hacker0x01 onsite hacking event? You're in luck - read this, it's awesome!” Well said Pete.

  2. Behind enemy lines: Bug hunting with Burp Infiltrator by @salchoman. Boost your quiver of tools with Infiltrator-augmented testing via Burp. Demonstration of a zero-day in JetBrains’ TeamCity.

  3. Yahoo Small Business (Luminate) and the not-so-secret keys by @dawgyg. Collab hunt with @zlz (and using Bug Bounty Forum slack to collaborate). Go team.  

You can see all the latest and greatest disclosures and bounties on (including nine new disclosures from the U.S. Department of Defense (like this one)!


Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties

Have a news tip / story to highlight? We’d love to hear about it. Email: 

Get this email forwarded to you? Click here to subscribe to the Zero Daily

Infiltrating applications might sound daunting, but a little attentiveness to when and how the infiltration is performed may yield exotic vulnerabilities and unexpected insights.



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.