2018-10-05 | Strong denials of Bloomberg’s big hack article, Bypassing web cache poisoning countermeasures, Holidays are good for phishing

Friday, October 5

TOP STORY

• Apple’s statement in response to Businesweek’s “big hack” article published yesterday. Others issued denials as well, including Amazon, Supermicro, and the Chinese Government, and a good point by SwiftOnSecurity that these are SEC regulated statements. The Grugq has some speculations. One person pontificated if Businessweek got their hands on a leaked early draft of the Sneakers 2 script and interpreted it as factual. ¯\_(ツ)_/¯ . Regardless, more to come with this story, to be sure.

HACKTIVITY HIGHLIGHTS

• Race condition at create new Location [12 upvotes] - $500 bounty for this report to Shopify by @zhurig.

• Zomato SQLi - /php/██████████ - item_id [193 upvotes] - $4,500 bounty for this report to Zomato by @gerben_javado

• Gain access to random information via group chat "about" property [11 upvotes] - $1,000 bounty for this report to ICQ by @3c75.

OTHER ARTICLES WE’RE READING

• Bypassing web cache poisoning countermeasures by James Kettle

• Holiday season good for Phishing, IBM report says

• Convert nmap scans into Beautiful HTML web pages posted on rootsh3ll

• James Kettle’s header wordlists for Param Miner, now available via @DanielMiessler's SecLists project

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

There’s not much we can speculate about the modchip because the Bloomberg description of whatever it does is gibberish.

The Grugq