ZERO DAILY
Hacking, AppSec, and Bug Bounty newsletter
2019-08-13 | Taviso goes down the rabbit hole, Orange’s Pre-auth RCE on Twitter VPN, and Web cache poisoning by albinowax
Tuesday, August 13, 2019
Took a bit of a break for security summer camp, back at it this week for a jam-packed Zero Daily for ya.
TOP STORY
-
From @taviso: I’m publishing some research today, a major design flaw in Windows that's existed for almost *two decades*. I wrote a blog post on the story of the discovery all the way through to exploitation. Repo of code and tools used.
HACKTIVITY HIGHLIGHTS
-
Potential pre-auth RCE on Twitter VPN [288 upvotes] - $20,160 bounty for this report by Twitter by @Orange.
-
SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database [263 upvotes] - $4,000 bounty for this report to Starbucks by @spaceracoon
-
Stored XSS on [redacted] and Bypass for #488147 enables stored XSS on [redacted] again. About $40K in bounties for two reports to PayPal by @albinowax around web cache poisoning attack. See his full writeup on the Portswigger blog.
OTHER ARTICLES WE’RE READING
-
Apple getting a bit chummier with security researchers with the iOS security research device program, giving dev devices to top hackers in their bug bounty program. About time.
-
MSFT upping bug bounty awards and launched Azure Security Lab
-
Filedescriptor and EdOverflow published a blog in PagedOut about bug hunting (see page 52)
-
Owning the clout through SSRF and PDF generators - slides from @nahamsec and @daeken’s DEF CON talk. See also, the automatic HTTP+DNS rebinding attack tool referenced in the talk.
-
HackerOne’s h1-702 live hacking event concluded on Sunday morning, having paid out hackers $1.9M over 3 days. What a ride.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Hi, we have cracked the admin hash and got the root shell. This is definitely a Pre-auth RCE on your SSL VPN server