Hacking, AppSec, and Bug Bounty newsletter
2017-11-10 | Getting access to 25k employee's details, Magoo’s 5, and HBD to Hack The Pentagon
Friday, November 10
Defense in depth comes from multiple factors. @magoo’s 5 factors used to secure systems
Vulnerable exported broadcast receiver [5 upvotes] - no bounty for this report to bitwarden by @b3nac.
Self-XSS in password reset functionality [6 upvotes] - $500 bounty for this report to Shopify by @iron_fist. Lesson: Only you can stop self-XSS! No, but seriously: good programs with high min bounties are cherry to learn and hack on!
Stop us if you’ve heard this one before… “The configuration file of an internal IRC bot (which included credentials to internal services and some external services used by [redacted] developers) was inadvertently included by an employee in a personal public GitHub repository. The repository was taken down and the affected credentials rotated.”
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
Hackers finally got their chance to try and hack the Pentagon without repercussion - @wired
OTHER ARTICLES WE’RE READING
Getting access to 25k employees details by @sahilsaif
Where there’s a JTAG there’s a way: Obtaining full system access via USB
Get your censys scans in while they’re free.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
"It’s one thing for a company to come forward and work with their general counsel to do a bug bounty. It’s a completely different thing entirely for the organization that really initiated the Computer Fraud and Abuse Act and that early hostility toward security researchers to openly start engaging and working with them. The weight that the DoD brings when they pair with the DoJ to say 'hackers can do good,' that just doesn’t exist anywhere else."