Monday, August 27
TOP STORY
The Android Fortnite Installer downloads proved to be vulnerable to hijacking. Google reported the issue mid-August. Epic took a bit of issue with the disclosure timeline, Mashable has a statement from Epic CEO Tim Sweeney.
HACKTIVITY HIGHLIGHTS
SSRF on duckduckgo.com/iu/ [44 upvotes] - no bounty for this report to DuckDuckGo by @d0nut.
Domain pointing to vimeo portfolio are prone to takeover using on-demand [14 upvotes] - $1,500 bounty for this report to Vimeo by @bugdiscloseguys.
OTHER ARTICLES WE’RE READING
Cloudflare rolled out web cache poisoning protection
Matt Austin’s writeup on CVE-2018-15685 - Electron WebPreferences Remote Code Execution Finding
Threat modeling tools, utilities for MITRE ATT&CK
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Just because you're compliant does not mean you're secure. A hacker couldn't care less if you meet the minimum security requirements required by law.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.