Hacking, AppSec, and Bug Bounty newsletter
2018-04-24 | SamSam explained, How GDPR benefits Google and Facebook, and Exfiltrating private keys from air-gapped cold wallets
Tuesday, April 24
Steve Ragan explains the SamSam threat actor group (part 3). In related news, SamSam victim, city of Atlanta braces for $2.6 million in recovery costs from the ransomware caused outage (that’s about 50x the $50,000 ransom price, but who’s counting).
SocialClub's Facebook OAuth Theft through Warehouse XSS [14 upvotes] - $750 bounty for this report to Rockstar Games by @netfuzzer.
Possible to redirect to a (non-existing) subdomain after logging in via GitHub (leaking the token) [45 upvotes] - no bounty for this report to Ed by @jackds.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
I visited the NSA booth at #RSAC today and I was going to say something witty, maybe about Dual_EC, but then they let me play with a real (!) Enigma machine and I thought sod it, mass surveillance isn't that bad really and who needs strong random number generators anyway. - @martijn_grooten
OTHER ARTICLES WE’RE READING
WSJ’s Sam Schechner and Nick Kostov report on how GDPR benefits Google and Facebook
Jack Cable’s LinkedIn AutoFill button iframe exploit PoC blog
Require authentication for Apache Drill when exposed to the internet - Jobert Abma explains
US Senate hearing today to evaluate DHS's cybersecurity performance
If it sounds too good to be true, it probably is
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
… The SaaS model of ransomware is a cutthroat business, so most of the players in that game aren't making much from their efforts. The real money is in customization and private ransomware development. This is where SamSam stands out from the rest.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.