Hacking, AppSec, and Bug Bounty newsletter
2018-02-05 | GDPR and WHOIS, Subover, and Quantifying untrusted Symantec certificates
Monday, February 5
Greetings from Hawaii. Coming at you a bit earlier than normal for the next week due to the time change. Aloha.
When good intentions can have negative side effects. Motherboard asks what is going to happen to WHOIS? The enactment of the GDPR in May could signify the beginning of the end for WHOIS data. GoDaddy is the first registrar to redact email, names, and phone numbers from all WHOIS records they publish.
Leak ██████████ information in real time through API request [55 upvotes] - $2,000 bounty for this report to Grabtaxi by @severus.
[https://reviews.zomato.com] Time Based SQL Injection [45 upvotes] - $1,000 bounty for this report to Zomato by @samengmg.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
OTHER ARTICLES WE’RE READING
Subover: a hostile subdomain takeover tool designed in Python
Meg+: An automated reconnaissance wrapper
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
The problem, briefly stated, is that ICANN has agreements with the thousands of domain registrars around the globe like GoDaddy or HostGator which oblige the companies to post WHOIS data—such as names, emails, and phone numbers—for every domain registrant with their service. On the other hand, the GDPR prohibits companies from publishing information that identifies individuals, which means that when the law goes into effect in April, ICANN’s agreements with registrars about WHOIS data will be illegal, at least in Europe.