Hacking, AppSec, and Bug Bounty newsletter
2017-12-14 | Mirai and minecraft, Direct TV’s video bridge remote root, and Star Wars galactic theatrics
Thursday, December 14
Wired has the story of the motivations behind Mirai and the U.S. Justice Department released the guilty pleas of the authors of the Mirai botnet. Brian Krebs, who successfully identified two of the men back in January 2017, posted a brief write up of his own.
Password reset link injection allows redirect to malicious URL [33 upvotes] - $1,500 bounty for this report to Mavenlink by @cablej. See Jack’s blog: Don’t trust the host header for sending password reset emails.
Unserialize leading to arbitrary PHP function invoke [74 upvotes] - $5,000 bounty for this report to Rockstar Games by @someguyfromthepast.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
Here is a little gem of my private OSINT inventory I kept private for too long http://index.commoncrawl.org/CC-MAIN-2017-09-index?url=*.hackerone.com%2F*&output=json … #togetherwehitharder - @0x4a6448
OTHER ARTICLES WE’RE READING
Amit’s story: how an adtech company is borrowing nefarious tactics found in malware to make it hard for antivirus software and other security products to detect them
Only 9% of consumers fully trust IoT devices, but many refuse to disconnect
WSJ: Boards Respond to Equifax as Defining Moment of Cybersecurity Governance [Paywall]
The International Space Station will be watching The Last Jedi with the rest of us.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
It’s the most successful IoT botnet we’ve ever seen—and a sign that computer crime isn’t just about desktops anymore.