Hacking, AppSec, and Bug Bounty newsletter
2017-06-28 | Super XSS, The nameless worm, and Shahmeer’s $5K bug
Wednesday, June 28
A worm with no name - but let’s just call it Petya. Here’s a Petya live incident blog. Ars’ Dan Goodin has a good overview and links to a Kaspersky Lab blog with more detail. WannaCry kill-switch kid, Marcus Hutchins analyzes Petya and he’s updating the blog regularly. Just another Tuesday.
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications [34 upvotes] - $5,000 bounty for this report to Shopify by @bored-engineer. Not all XSS are created equal. This XSS affected all of Shopify and is a great all around example of a well-written report, communication by the security team, and public disclosure.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
HTTPS, Buy: $1.99
Hashing, Buy: $1.99
Salting, Buy: $1.99
Captcha, Buy: $1.99
OTHER ARTICLES WE’RE READING
That one time there was a stack buffer overflow flaw in Skype
How Hollywood Got Hacked - Variety
Whatever you do, don’t turn your computer on!
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
“Once I was able to look at our server, my hands started shaking, and I almost threw up.”