Wednesday, May 29
One simple IDOR. Krebs First American Financial Corp. breach bomb last Friday smartly dropped before a long holiday weekend as all other journalists were probably on vacay for the weekend or at least not in the state of mind to chase a big story. “These types of data exposures are some of the most common yet preventable”.
TWEET OF THE DAY
I had my BXSS payload on one of my tax documents this year.. - @nahamsec
OTHER ARTICLES WE’RE READING
LFI on production servers in springboard.google.com - - > Brute forcing directories FTW
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big. Frans Rosen’s talk at Facebook / Google’s BountyCon in Singapore a few months back. Speaking of LHE’s, Uber raising the bar at h1-4420.
Katelyn Bowden’s OSINT 101 thread, good stuff.
ALex Stamos comments on a key area of security under-investment: secure and audited internal data access. Ala Uber’s ‘god view’ and Snap’s ‘SnapLion’.
WHo’s your iPhone talking to in the middle of the night? Geoffrey Fowler from Washington Post knows.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
In 2019, we don't need more people preaching about cybersecurity with fear. Most of us get it, and the new folks are coming to the table ready.
Don't preach to me about the need for change, tell me a story about how we can facilitate the change we need.