Hacking, AppSec, and Bug Bounty newsletter
2018-04-03 | Fauxpersky keylogger, Lazarus KillDisks Central America Casino, and My oh my Panera
Tuesday, April 3
Panera Bread sets example for every possible way to poorly communicate with a researcher and mishandle breach response: a) not having a security[at] inbox setup, b) not fixing a known vulnerability for 8-months, c) sending combative emails to the security researcher who’s notifying you of the issue, d) lying to the press about the number of customers impacted, e) treat a well-respected journalist like an idiot, f) not digging deeper than the PoC…
blind XXE in autodiscover parser [26 upvotes] - $5,000 bounty for this report to Mail.Ru by @obmihail.
[redacted] vulnerable to Jetleak [18 vupotes] - $1,260 bounty for this report to Twitter by @molejarka.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
Jumbled Nest Of Cords Makes Move To Third New Apartment - @TheOnion
OTHER ARTICLES WE’RE READING
After almost 4 years there are still 139,819 unpatched devices vulnerable for CVE-2014-0160 / Heartbleed according to Victor Gevers.
Analysis of Lazarus Group’s disk wiping activities in a recent attack on an online casino in Central America
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
You know it's bad when your "down for maintenance" page is down. I think self-referential 404s are a kind of paradox.