Hacking, AppSec, and Bug Bounty newsletter
2017-10-18 | Flash 0-Day, ROCA, and Google’s Advanced Protection
Wednesday, October 18
Flaaaash CVE-2017-11292. No patch as of yet. But, good news, Chrome blocks older, vulnerable versions of Flash from loading.
SSRF at iris.lystit.com [11 upvotes] - $100 bounty for this report to Lyst by @tripwire.
[Markdown] Stored XSS via character encoding parser bypass [5 upvotes] - no bounty for this report to GitLab by @ysx.
Anyone going to Shellcon tomorrow? Come by our booth and show us today's ZD for a special swag prize.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
I don't need to client side when I can server side - @naffy
OTHER ARTICLES WE’RE READING
ROCA: Vulnerable RSA generation (CVE-2017-15361): Gov security tokens vulnerability.
Google’s advanced protection - phishing proof?
Rod J. Rosenstein of the DOJ speech on VDP and more at Global Cybersecurity Summit
A look at “hack back”
KRACK impacts on IoT… we’ll be dealing with this for a while
The twitter thread that rules all twitter threads. Well done @jschauma
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
When it comes to the eternal tradeoff between digital security and convenience, most tech firms focus their efforts on the vast majority of people who choose a painless user experience over a paranoid one.