ZERO DAILY

Hacking, AppSec, and Bug Bounty newsletter

2017-06-23 | Airbnb OAuth tokens theft, Bug hunting with Burp Infiltrator, and Yahoo’s not-so-secret keys

Friday, June 23

TOP STOR(ies)

Today we’re going rogue from our usual structure and highlighting three blog posts by researchers. Let’s call this PoC Fridays. Like it? Let us know what you think. Now for the good stuff:

  1. Authentication bypass on Airbnb via OAuth tokens theft by @arneswinnen. @Yaworsk tweeted “Interested in the thought process of someone who wins an @Hacker0x01 onsite hacking event? You're in luck - read this, it's awesome!” Well said Pete.

  2. Behind enemy lines: Bug hunting with Burp Infiltrator by @salchoman. Boost your quiver of tools with Infiltrator-augmented testing via Burp. Demonstration of a zero-day in JetBrains’ TeamCity.

  3. Yahoo Small Business (Luminate) and the not-so-secret keys by @dawgyg. Collab hunt with @zlz (and using Bug Bounty Forum slack to collaborate). Go team.  

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity (including nine new disclosures from the U.S. Department of Defense (like this one)!

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com 

Get this email forwarded to you? Click here to subscribe to the Zero Daily


Infiltrating applications might sound daunting, but a little attentiveness to when and how the infiltration is performed may yield exotic vulnerabilities and unexpected insights.

@salchoman