2018-01-05 | 1.2 B UIDAI records sold for $8, RCE bonus from Google Play, and CERT’s Spectre solution update

Friday, January 5

TOP STORY

• Aadhaar, India's National ID Database (UIDAI) with private information of nearly 1.2 Billion people was reportedly breached (and the data sold “repeatedly” for a whopping $8). Originally reported by Tribune India, Aadhaar claimed it was fake news, but now admits it appears to be an “instance of misuse”. When every admin is a super admin, there’s ripe chance for “misuse”.

HACKTIVITY

• SQL Injection on careers.razerzone.com within the Admin interface without any access credentials [12 upvotes] - no bounty for this report to Razer by @surfrdan.

• RCE in TinyCards for Android [10 upvotes] - $1,000 bonus from Google Play for this remote code execution on Duolingo’s TinyCards for Android. Well done @nightwatch-cybersecurity.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

OTHER ARTICLES WE’RE READING

• Let’s get along: banks and retailers co-sign letter to congress in support federal legislation to protect personal information, including details of what Congress should enact legislation encompassing.

• Re: Spectre. CERT updated VU#584653 Solution section to say “Apply Updates” rather than “Replace CPU hardware”. There is a new hope in the galaxy.

• Hospital security challenges

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

There will always be new threats…

Andrew Boyd