2017-12-12 | Road to Exim RCE, The ROBOT attack, and 4iQ discovers 1.4B clear text credentials

Tuesday, December 12

TOP STORY

• 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date according to the researchers.

HACKTIVITY

• Content Security Policy not applied to error pages at multiple HackerOne endpoints [27 upvotes] - $500 bounty for this report to HackerOne by @wh47.

• Javascript Payload reflected Back in Report Embed Code [2 upvotes] - no bounty for this report to Infogram by @zubair.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

TWEET OF THE DAY

• Put together a simple search for conferences, I'll keep adding as I go. Feel free to add. https://securedorg.github.io/community/search.html - @malwareunicorn

OTHER ARTICLES WE’RE READING

• Google patches 37 vulns in Chrome

• Road to Exim RCE - Abusing Unsafe Memory Allocator in the Most Popular MTA

• Return Of Bleichenbacher's Oracle Threat: The ROBOT Attack

• Hackable software in the driver’s seat

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

Is this vuln really serious enough to deserve a name, a logo and a web page?
We had considerable disagreement in our team about this. Juraj agreed only under protest. All complaints about this issue need to go to Hanno.

The ROBOT Attack Team