Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bug Bounty Hunter. Show all posts

Researcher Laxman Muthiyah Awarded with $50,000 for Detecting a Flaw in Microsoft Account

 

A bug bounty hunter was awarded $50,000 by Microsoft for revealing a security vulnerability leading to account deprivation. The expert says that only ‘user accounts’ have an effect on vulnerabilities. The vulnerability has to do with launching a brute force attack to estimate that the seven-digit security code is sent via email or SMS in a reset password checking process. 

Microsoft has granted $50,000 to the Security Researcher Laxman Muthiyah for revealing a vulnerability that could allow anyone to hijack the accounts of users without permission. Researcher Laxman Muthiyah informed in a blog post on Tuesday 2nd March, about the possibility of the particular security flaw. 

“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that, we will be asked to select the email or mobile number that can be used to receive security code,” researcher Laxman Muthiyah wrote in the blog. “Once we receive the 7-digit security code, we will have to enter it to reset the password. Here, if we can brute force all the combination of 7-digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.” 

In the past, Muthiyah found an Instagram-rate flaw that might contribute to take-up and then use the same tests to secure Microsoft's account. The researcher found out that the rates are set to reduce the number of tries and safeguard the accounts. Examination of an HTTP POST application sent to verify the code showed that the code was encrypted before it was sent, which suggests that the authentication was broken in order to optimize brutal force attacks. 

The analyst sent 1000 code requests, but only 122 were accepted, the remaining (1211 error code), resulted in an error, and all other requests prevented establishing the limit rate used for account protection. The analyst bypassed the blocking and encryption process by submitting simultaneous requests. It was found that, if all requests sent don't really arrive at the server simultaneously, the mechanism blacklists the IP address.

That being said, in an actual scenario, the attacker must submit security codes possible, about 11 million request attempts, simultaneously required to modify a Microsoft account password (including those with 2FA enabled). In order to successfully complete the attack, such an attack would need several computer resources and 1000s of IP address. 

Muthiyah has reported the problem to Microsoft that was immediately discovered and solved in November 2020. 

“I received the bounty of USD 50,000 on Feb 9th, 2021 through hacker one and got approval to publish this article on March 1st. I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue. I also like to thank Microsoft for the bounty.” concluded Muthiyah

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!

Instagram account can be easily hacked, finds hacker

A professional hacker discovered what he considered a fairly simple way to seize control of any Instagram user's account. Fortunately for the site's 500 million active daily users, he told Instagram exactly how it could be done.

Laxman Muthiyah is a professional bounty hunter. Not the kind who tracks down bail jumpers, mind you. He uses his hacking skills to collect bug bounties, money companies pay to hackers who find and report vulnerabilities in their software.

Muthiyah found the account-breaking bug in the mobile version of Instagram's password reset system. When a user wants to reset his or her password, Instagram tries to validate their identity by sending a 6-digit code to a recovery phone number.

A six-digit code is child's play for a hacker with any amount of computing power at their disposal, which is why Instagram has a system in place that can detect brute-force attacks. Muthiyah found that out of 1,000 attempts around 75% were blocked.

By creating a race condition -- a nasty situation that occurs when a computer tries to process multiple requests at the same time -- and making attempts from a huge number of IP addresses -- Muthiyah was able to do an end run around Instagram's brute force blocker.

He bombarded Instagram with 200,000 codes from 1,000 different IP addresses. That might sound like a Herculean task, but Muthiyah notes that it's actually quite simple using cloud-based tools.

In his estimation it would have cost about $150 to reset anyone's password.

Gaining control of an account with hundreds of thousands -- or even millions -- of followers is well worth the investment. It provides an opportunity to spam users with links to infected downloads or phishing pages from an account they are likely to trust.

There's no telling how many unsuspecting fans would've blindly clicked a malicious link posted from a celeb's verified IG account. It's quite possible that a major incident was avoided thanks to Muthiyah's hard work and Facebook's (which owns Instagram) rapid deployment of a fix.

Single RCE Vulnerability that affects Microsoft, Yahoo and Orange

Ebrahim Hegazy, a Bug Bounty Hunter from Egypt, has identified a security vulnerability that allowed him to hack Microsoft, Yahoo and Orange.

While he is on the hunt for a security bug in Yahoo domains, he found a web page that allowed him to upload .aspx file and modify the existing aspx files. 

You can just create a new file by sending POST request to the URL " http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx" with the following post content: "FileName=New_File_Name.aspx&FileContent=File_Content_Here".

Ebrahim has simply uploaded a file called 'zigoo.aspx' with 'zigoo' as content.  To find out other Yahoo domains that were affected by the same vulnerability, researcher did a Bing search.

The following domains were also affected by this bug: **.horoscopo.yahoo.net, astrocentro.latino.msn.com, horoscopo.es.msn.com, astrologia.latino.msn.com, horoscopos.prodigy.msn.com and astrocentro.mujer.orange.es.

Interesting fact about this vulnerability is that the page created in Yahoo domain reflected in other domains also.

"It’s A CDN(Content Delivery Network) Service for astrology that cashes the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server." Researcher says.

After reporting to Yahoo, Yahoo has rewarded the researcher with some bounty.  As usual, Microsoft didn't give any reward to the researcher.

Earlier this year, Ebrahim discovered a critical Remote PHP Code Injection vulnerability in one of the Yahoo domains. 

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.

Researcher gets $33,500 for Remote Code Execution Vulnerability in Facebook


Here comes a critical bug discovered in Facebook and biggest bounty ever paid by Facebook for reporting vulnerability in their website.

Reginaldo Silva, A Brazilian Hacker, has discovered a highly critical Remote Code Execution(RCE) vulnerability in the Facebook which could allowed attackers to read any files from the server.  It could also allowed attackers to run malicious code in the server.

In September 2012, he first discovered XML External Entity Expansion bug in the Drupal that handled OpenID.  OpenID is an open technology that allows users to authenticate to websites without having to create a new password.

He found similar bug affecting the Google's App Engine and Blogger.  However, it is not critical as he wasn't able to access the arbitrary file or open network connections, he received $500 reward from Google.

He found out plenty of other websites implementing OpenID are vulnerable to RCE. 

Recently, Silva learned that "facebook forgot password" page is also using OpenID provider to verify the identity of the user.  He managed to discover the XXE bug in Facebook that allowed him to read the "etc/passwd" file from the server.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed." Silva wrote in his blog.

He thought it will take time to fix the bug.  However, the facebook security team responded quickly and fixed issue within 3.5 hours.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers." silva said.

He has been rewarded with a bounty of $33,500.

Remote Code Execution vulnerability in Ebay website

David Vieira-Kurz, a Security researcher from Germany, has discovered an interesting Remote Code execution vulnerability in the eBay website.

The 'q' parameter in the 'search' page of South Asian Ebay domain (sea.ebay.com/search/?q=david&catidd=1) is found to be vulnerable to remote code execution.

The researcher cleverly managed to pass the 'q' parameter as array with a command that successfully got executed.

Proof of concept provided by the researcher prints the information about the PHP running on the server:
  sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

An attacker could have exploited this vulnerability to run OS commands and managed to compromise the entire server.  However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.

He also discovered a SQL Injection vulnerability in the same domain last year.

The full technical details is available here.

Arul Kumar discovered Open URL Redirection Bugs in facebook worth $1500

Arul Kumar, a bug hunter from TamilNadu,India who recently got $12,500 as bounty from Facebook, has today shared how he managed to identify multiple open url redirection vulnerabilities in Facebook.

He identified three open url redirection vulnerabilities in the facebook's dialogs, it could be exploitable to all users who are signed into facebook.

At first, facebook team rejected his finding because it needs some user interaction- users should click ok button in order to redirect the target website.

 

However, Arul managed to bypass it and redirect to the target website without user interaction. The facebook team accepted the vulnerability after bypassing the user interaction and offered $1500 bounty.

The list of vulnerable URL:
  • https://m.facebook.com/dialog/send?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/pagetab?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/apprequests?next=htp://google.com  &error_ok=arul

Another OAuth Vulnerability allowed to hack facebook accounts

Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

"As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.


POC video



Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

An Interview with Rafay Baloch - Security Researcher and Famous Bug Hunter

Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.

1. Introduce yourself

Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.

2. How did you get into Information security field?

Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.

3. When did you start Bug hunting?

I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.

4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?

There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.

 Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.

5. What is your first finding , how did you feel at that time?

I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.

6.What is the favorite vulnerability found by you?

My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.

Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.

7. How much have you earned so far from Bug hunting?

I would prefer to keep it confidential. But it's some where between 5 digits.

8. You're hunting bugs for fun, for profit, or to make the world a safer place?

Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

9.What is your future plans?

I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.

10. What is your advice for new bug hunters?

For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of

11. What do you think about E Hacking News?

E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.

12. Thanks for the advice , Is there anything else you want to add?

Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".