Hacking, AppSec, and Bug Bounty newsletter
2018-04-10 | Phishing tales from Gmail and Lookout, Despacito video defaced, and Facebook’s data abuse bounty
Tuesday, April 10
We want to hear from you, our amazing readers: Take this quick survey on how we can improve Zero Daily. You may get lucky - like swag pack sent to your front door lucky. Survey ends 2018-04-13 at 12pm PST.
Two phishing tales today: Yes, the dots do matter, Google: Story of how to scam a gmail user (Bruce Schneier also weighs in). Lookout Security published its Mobile Phishing 2018 Report: Phishing is different and we’re way worse at spotting it on mobile (we’ve gotten 85% worse at catching phishing every year since 2011 - either we’re dumber and more distracted or criminals are getting better at the phish game or both).
Malicious file upload [redacted] [11 upvotes] - $600 bounty for this report to LocalTapiola by @muon4.
CSRF in Raffles Ticket Purchasing [15 upvotes] - $150 bounty for this report to Unikrn by @tolo7010.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
With the dismissal of that frivolous lawsuit, I'm finally free to voice a few thoughts. Again, my thanks to Natalie Spears of the @Dentons law firm and my support to @SteveD3 and @VickerySec. - @dangoodin001
OTHER ARTICLES WE’RE READING
The most viewed video on YouTube, the Despacito music video has been defaced. Shakira, Selena Gomez, Drake and Taylor Swift all were targeted by the black hats who go by Prosox and Kuroi'sh. Face-palm esque story for both YouTube and humanity - how is that video the most viewed YouTube video?!?
Herokus explains CVE-2017-17405, a vulnerability in Ruby’s FTP implementation.
Server Side Request Forgery to NIPRNet access. Two outdated Jira instances were vulnerable to a server side request forgery (SSRF) exploit which were exploited, and pivoted into giving access to the DoD internal services and network. Great find and write up by Alyssa Herrera.
DNS Resolvers Performance compared: CloudFlare x Google x Quad9 x OpenDNS
Facebook rolls out its Data Abuse Bounty
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
Patch management forms an integral part of the security life-cycle and cannot be a static process of simply applying patches. Reviewing and understanding the underlying causes of vulnerabilities being patched can help identify further vulnerabilities in the affected software, or even completely different software packages.