Hacking, AppSec, and Bug Bounty newsletter
2018-08-15| Foreshadow aka L1TF, Why election security is such a hard problem, and EdOverflow’s guide to subdomain takeovers
Wednesday, August 15
Foreshadow, aka L1 Terminal Fault (L1TF) could be a bigger deal than Spectre and Meltdown. Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. See Intel’s blog on details and mitigation information and Microsoft published technical analysis of L1TF. Wired has a good writeup as well.
Phone Call to XXE via Interactive Voice Response [44 upvotes] - finding published by @cdl
[flintcms] Account takeover due to blind MongoDB injection in password reset [2 upvotes] - no bounty for this report to Node.JS third-party modules by @becojo.
OTHER ARTICLES WE’RE READING
Election security is not easy. University of Michigan’s Alex Halderman says that at least one thing that’s improved since the 2016 election is awareness, in a Q&A with MIT, and here’s a Matt Blaze tweet thread on why election security is by far the hardest problem he’s ever encountered.
Vote for the Top 10 Web Hacking Techniques of 2017
Bloomberg asks why not a cyber force?
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Claiming your front door has an unpickable lock does not make your house secure. No more does offering a reward only for defeating that front door lock, and repeatedly saying no one has claimed the reward, prove your house is secure, especially when you’ve left the windows open.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.