Hacking, AppSec, and Bug Bounty newsletter
2017-07-24 | Ethereum hack, badgelife, and hackers for hire
Monday, July 24
Happy Security Summer Camp week!
Last week was witness to the 2nd biggest digital currency heist ever. Today, we highlight a few of the blogs reviewing the how, why, and what now: A hacker stole $31M of Ether — how it happened, and what it means for Ethereum by Haseeb Qureshi. See also An In-Depth Look at the Parity Multisig Bug from Hacking, Distributed.
Hoвый 2FA Bypass [7 upvotes] - $1,000 bounty for this report to VK.com by @povargek. Improper Authentication vulnerability.
Login to any user account using other facebook app access token [7 upvotes] - no bounty for this report to Imgur by @vinothkumar.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
OTHER ARTICLES WE’RE READING
NBC News: Hackers for hire (featuring @mltichfield)
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
It’s important to understand that this exploit was not a vulnerability in Ethereum or in Parity itself. Rather, it was a vulnerability in the default smart contract code that the Parity client gives the user for deploying multi-signature wallets.