Hacking, AppSec, and Bug Bounty newsletter
2017-11-07 | Silence banking trojan, OPM fails cyber security audit, and That Stuxnet-style
Tuesday, November 7
New Gallup Poll: Of all criminal activity they experience, Americans are most concerned about cybercrime.
Stored XSS in content when Graph is created via API [4 upvotes] - no bounty for this report to Infogram by @krankopwnz.
Bruteforcing password reset tokens, could lead to account takeover [6 upvotes] - $50 bounty for this report to Instacart by @003random.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
I wrote a script this morning to quickly build a @AWS WAF using the default @owasp rules. - @JGamblin
OTHER ARTICLES WE’RE READING
Silence. Lurking banking trojan
Ex-NSA head Keith Alexander: hacking back could end up with real, military conflict
APT32 responsible for mass digital surveillance and spying campaign on several Asian nations says Veloxity.
OPM fails health check. Final Audit Report Section B, page 9
Stuxnet-style code signing is fairly common, researchers say
Cisco Border Gateway Protocol (BGP) vulnerability in its IOE XE software was patched.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
OPM does not have the appropriate resources in place to manage its cybersecurity program.