Thursday, September 13
TOP STORY
Krebs looks at big 4 cell phone companies co-initiative called “Project Verify” that would let websites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account.
TWEET OF THE DAY
If you have stored HTML injection in the <head> tag of a page (fairly common with Web Cache Poisoning), you can DOS the page's scripts by inserting a malicious CSP via the meta tag. Sometimes you can even inject into a meta tag in the header and just use the " to escape. - @rhynorator
OTHER ARTICLES WE’RE READING
Cyber Paul Revere - CNN reports on The DHS Cyber Incident Response Teams Act
Some more on the British Airways breach. Scott Helme says the attackers that pulled it off registered their domain and bought a cert 5 days before the attack started. Some are asking (and hypothesizing) what the GDPR fine will be?
Microsoft re-did their naming scheme for update rollups... and this happened
Some chatter on the Magento bug bounty program being folded under Adobe’s program: ZDNet article reviewed the move and Adobe sent a clarifying statement about the intent to continue to pay, and VP Jason Woosley also tweeted a correction.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Today I discovered an unfortunate consequence of GDPR: once someone hacks into your account, they can request--and potentially access--all of your data. Whoever hacked into my @spotify account got all of my streaming, song, etc. history simply by requesting it.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.