Information Disclosure Due To exposed .env file (Directory Listing) at on 22/10/2024
AWS VDP disclosed a bug submitted by necr0mancer: https://hackerone.com/reports/2784712 [...]
AWS VDP disclosed a bug submitted by necr0mancer: https://hackerone.com/reports/2784712 [...]
The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.” No, it’s not true. This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken widely out of proportion. Cryptography is safe, and will be for a long time [...]
Endless Group disclosed a bug submitted by seqode: https://hackerone.com/reports/791381 [...]
Tax farming is the practice of licensing tax collection to private contractors. Used heavily in ancient Rome, it’s largely fallen out of practice because of the obvious conflict of interest between the state and the contractor. Because tax farmers are primarily interested in short-term revenue, they have no problem abusing taxpayers and making things worse for them in the long term. Today, the U.S [...]
MTN Group disclosed a bug submitted by mathara: https://hackerone.com/reports/1779447 [...]
MTN Group disclosed a bug submitted by mathara: https://hackerone.com/reports/1780399 [...]
Cute squid scarf. Blog moderation policy. [...]
Phylum’s automated risk detection platform recently flagged several suspicious packages published to npm. Upon investigation, we found these packages attempting to exfiltrate Ethereum private keys and gain SSH access to the victim’s machine by writing the attacker’s SSH public key in the root user’s authorized_keys file.--cta--Stop me if you’ve heard this one bef [...]
The Wall Street Journal is reporting that the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business. [...]
WordPress disclosed a bug submitted by wshadow: https://hackerone.com/reports/2786591 [...]
Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBI’s InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led to the leak of Social Security numbe [...]
Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2412983 [...]
Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password the way of the dodo. Although they don’t get anywhere near the same hype, advanced authentica [...]
Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2380084 [...]
Mozilla disclosed a bug submitted by sushantd19: https://hackerone.com/reports/1913309 [...]
Mozilla disclosed a bug submitted by ghaazy: https://hackerone.com/reports/2401648 [...]
Automattic disclosed a bug submitted by nightpool: https://hackerone.com/reports/2258950 [...]
GitHub disclosed a bug submitted by pinguluk: https://hackerone.com/reports/2505761 - Bounty: $4000 [...]
The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. The younger brother is facing charges that could land him life [...]
Sorare disclosed a bug submitted by thebeast99: https://hackerone.com/reports/2048725 [...]
If there’s a vulnerability in your systems that cybercriminals could exploit, you’ll want to know about it. Collaborating with people outside your organization to alert you to these issues can be extremely powerful because it allows your business to discover vulnerabilities before malicious hackers do. This approach, known as vulnerability disclosure, requires clear reporting c… [...]
Internet Bug Bounty disclosed a bug submitted by 4xpl0r3r: https://hackerone.com/reports/2590608 - Bounty: $249 [...]
The men’s world conkers champion is accused of cheating with a steel chestnut. [...]
Posted by Alex Rebert, Security Foundations, and Chandler Carruth, Jen Engel, Andy Qin, Core Developers Error-prone interactions between software and memory1 are widely understood to create safety issues in software. It is estimated that about 70% of severe vulnerabilities2 in memory-unsafe codebases are due to memory safety bugs. Malicious actors exploit these vulnerabilities and continue to cr [...]
Posted by Jianing Sandra Guo, Product Manager and Nataliya Stanetsky, Staff Program Manager, Android Janine Roberta Ferreira was driving home from work in São Paulo when she stopped at a traffic light. A man suddenly appeared and broke the window of her unlocked car, grabbing her phone. She struggled with him for a moment before he wrestled the phone away and ran off. The incident left her dee [...]
The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here). The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established [...]
Enjin disclosed a bug submitted by ndizon_: https://hackerone.com/reports/1623672 [...]
Enjin disclosed a bug submitted by mo_salah12: https://hackerone.com/reports/2682392 [...]
We all know that reconnaissance is important in bug bounty, in fact, it is the most important phase in bug bounty & web app pentesting. Bug bounty hunters who perform effective recon are always rewarded well as they come across untouched features and hidden assets more often than others. This provides them an edge and easily increases their chances of finding security vulnerabi… [...]
NIS2 will take effect across the EU from 18th October 2024, meaning time is running out to comply with its provisions. This Directive, replacing NIS1 (2016), strengthens requirements for in-scope sectors to report security incidents and manage risk. In this guide, we’ll summarize which entities will need to comply with the enhanced legislation and the standards they must meet.… [...]
Use HackerOne's Global Vulnerability Policy Map to keep up with evolving VDP mandates and recommendations. [...]
This is a current list of where and when I am scheduled to speak: I’m speaking at SOSS Fusion 2024 in Atlanta, Georgia, USA. The event will be held on October 22 and 23, 2024, and my talk is at 9:15 AM ET on October 22, 2024. The list is maintained on this page. [...]
Perfectl in an impressive piece of malware: The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that w [...]
Rocket.Chat disclosed a bug submitted by yash24: https://hackerone.com/reports/2028450 [...]
Learn about the EU Council's Cyber Resilience Act, where we're headed, and what we believe should happen next. [...]
Fishermen in Tamil Nadu are reporting smaller catches of squid. Blog moderation policy. [...]
In July, I wrote about my new book project on AI and democracy, to be published by MIT Press in fall 2025. My co-author and collaborator Nathan Sanders and I are hard at work writing. At this point, we would like feedback on titles. Here are four possibilities: Rewiring the Republic: How AI Will Transform our Politics, Government, and Citizenship The Thinking State: How AI Can Improve Democracy B [...]
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/2579939 - Bounty: $25000 [...]
Learn how HackerOne's AI Risk Readiness Self-Assessment Tool helps measure your AI security and compliance preparedness. [...]
This is a joint post with the Hugging Face Gradio team; read their announcement here! You can find the full report with all of the detailed findings from our security audit of Gradio 5 here. Hugging Face hired Trail of Bits to audit Gradio 5, a popular open-source library that provides a web interface that lets machine learning (ML) developers quickly showcase their models. Based on our findings a [...]
Posted by Adrian Taylor, Security Engineer, Chrome .code { font-family: "Courier New", Courier, monospace; font-size: 11.8px; font-weight: bold; background-color: #f4f4f4; padding: 2px; border: 1px solid #ccc; border-radius: 2px; white-space: pre-wrap; display: inline-block; line-height: 12px; } .highlight { color: red; } Chrome’s [...]
GitLab disclosed a bug submitted by a92847865: https://hackerone.com/reports/2499070 [...]
The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom. Image: ABC7NY. youtube [...]
Learn how to optimize internal network pentesting through community-driven pentesting as a service (PTaaS). [...]
GitLab disclosed a bug submitted by fdeleite: https://hackerone.com/reports/2523654 [...]
MTN Group disclosed a bug submitted by m4lc0lmx: https://hackerone.com/reports/2182202 [...]
You need an API security solution. That much is a given (although some may argue it isn’t!). While essential for business growth and innovation, APIs, or Application Programming Interfaces, expose the organizations that use them to cyber threats. Attackers are both aware of and actively exploiting this fact: Wallarm recently revealed that attacks on APIs impacted 98.35 million users in Q2 2024. [...]
inDrive disclosed a bug submitted by polem4rch: https://hackerone.com/reports/2588329 - Bounty: $2000 [...]
This post explores the risks and challenges of IP spoofing in cloud environments, particularly in setups using reverse proxies. It outlines various mitigation strategies to ensure accurate client IP identification for security purposes. [...]
Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools. One of the zero-day flaws [...]
Learn the ins and outs of IDOR vulnerabilities and how one exploitation led to malicious user profile modification. [...]
Ruby on Rails disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2334455 [...]
Ruby on Rails disclosed a bug submitted by trufflesecurity: https://hackerone.com/reports/1302395 [...]
GitLab disclosed a bug submitted by cryptopone: https://hackerone.com/reports/1935628 - Bounty: $1060 [...]
GitLab disclosed a bug submitted by 70rpedo: https://hackerone.com/reports/2104591 [...]
GitLab disclosed a bug submitted by afewgoats: https://hackerone.com/reports/1772063 [...]
Mozilla disclosed a bug submitted by anhchangmutrang: https://hackerone.com/reports/2735646 [...]
MTN Group disclosed a bug submitted by hazemhussien99: https://hackerone.com/reports/1773609 [...]
MTN Group disclosed a bug submitted by hazemhussien99: https://hackerone.com/reports/2039384 [...]
AWS VDP disclosed a bug submitted by hesham_elsheme: https://hackerone.com/reports/2731133 [...]
IBM disclosed a bug submitted by mersa-v6: https://hackerone.com/reports/2696271 [...]
Posted by Sherk Chung, Stephan Chen, Pixel team, and Roger Piqueras Jover, Ivan Lozano, Android team Pixel phones have earned a well-deserved reputation for being security-conscious. In this blog, we'll take a peek under the hood to see how Pixel mitigates common exploits on cellular basebands. Smartphones have become an integral part of our lives, but few of us think about the complex softwar [...]
Posted by Alex Gough, Chrome Security Team The Chrome Security Team is constantly striving to make it safer to browse the web. We invest in mechanisms to make classes of security bugs impossible, mitigations that make it more difficult to exploit a security bug, and sandboxing to reduce the capability exposed by an isolated security issue. When choosing where to invest it is helpful to consider [...]
Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child [...]
TikTok disclosed a bug submitted by ahmed_xyz: https://hackerone.com/reports/2306491 [...]