Hacking, AppSec, and Bug Bounty newsletter

2018-07-23 | Being a security expert, Latest social engineering trends, and FISA documents released for first time

Monday, July 23



  • Latest social engineering trends: Dropbox was the top lure for phishing this past year (source below). Although Dropbox was top lure for phishing, DocuSign attacks had highest click rates – 5X higher than the avg click rate for the top 20 lures - @racheltobac


  • Photon: quickly extract URLs, emails, website accounts, aws buckets, endpoints, files and more from a target. Created by @s0md3v

  • Public by default: Researcher Hang Do Thi Duc dives into what Venmo knows about its users, and leaves public “One would think that when it comes to money, privacy by design is of greater importance and higher demand. One would be disappointed in this particular case.”

  • RCE on Yahoo Luminate short write up by @uraniumhacker, testament to hacker collaboration on recon and hunting

  • The SIM hijackers, in depth article by Motherboard on how phone numbers are the access to

  • Digital Shadows looks into the tactics, techniques and procedures of the GRU as shown in the Mueller Indictment, deploying the MITRE ATT&CK™ framework to play back Mueller’s findings

  • The FISA Documents on the wiretapping of former Trump administration campaign advisor Carter Page have been released by the Justice Department, something the New York Times says is the first time these documents have been made public.


Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email:

By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.



HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.