Hacking, AppSec, and Bug Bounty newsletter
2017-09-11 | Latest on Equifax, UK Tax site security flaws, and Adios DREs
Monday, September 11
Equifax breach news from the past weekend: It might be Apache Struts (Zack Whittaker isn’t convinced yet). NYT says Equifax hack exposes regulatory gaps. Equifax says, come back on 9/13 to see if you were breached. And what about those credit freeze pins?
Object Injection in Woocommerce / Handle PDT Responses from PayPal [3 upvotes] - $300 bounty for this report to Automattic by @slavco.
Stored XSS Deleting Menu Links in the Shopify Admin [22 upvotes] - $1,000 bounty for this report to Shopify by @azizs3curity.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
OTHER ARTICLES WE’RE READING
Technical debt is a bear, just ask Equifax
Just say no to paperless voting machines: Virginia says adios DREs.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
I love the concept here of hitting an attack surface (a voice interface) right in front of us without our knowledge, but it's important to note that you should only be able to access commands that are already allowed. So it's not a matter of too much access, it's a matter of unknown access.