Hacking, AppSec, and Bug Bounty newsletter
2018-01-08 | Harvesting credit card numbers, DNSMasterChef, and Why Raspberry Pi isn’t vulnerable to spectre or meltdown
Monday, January 8
David is harvesting credit card numbers and passwords on your site. Here’s how.
TWEET OF THE DAY
There was a golden moment in 1995 where all of the sudden all of us knew how exploitable and common stack overflows were and everything in the world was broken. That’s what this feels like. - @tqbf
OTHER ARTICLES WE’RE READING
PoC code implementing variant 3a of the Meltdown attack for AArch64.
How a compromised employee email can lead to stolen bitcoins... Step 1: Compromise employee. Step 2: Grep reddit outbound password reset emails. Step 3: Follow up with ATO of reddit accounts. Step 4: Steal BTC.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.