2017-12-01 | Google Caja bypass PoC’s, Bucket Stream, and Clarkson cyber attack

Friday, December 1

TOP STORY

• Department of Energy gets a grade on cyber security from the Inspector General: Progress was made but more to do.

HACKTIVITY

• Improper markup sanitization [10 upvotes] - $150 bounty for this report to Automattic by @edio.

• Stored XSS using SVG on subdomain infra.mail.ru [2 upvotes] - no bounty for this report to Mail.Ru by @whitesector.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

TWEET OF THE DAY

• What is your favorite security news sources? How do you configure Twitter to be more organized? Anyone use other browser apps for news? - @missmalware

OTHER ARTICLES WE’RE READING

• Google Caja bypasses hat-trick

• Could an air conditioner take down a military base?

• New Senate bill includes jail time for executives who conceal data breaches

• Bucket Stream

• UK shipping firm Clarkson reports cyber attack

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

This malspam campaign cannot be very effective, yet it occurs practically every day.  That's a testament to how cheap and easy it is to establish these campaigns.

Brad Duncan