Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Bug Bounty Programs. Show all posts

Here's How BlackMatter Ransomware is Linked With LockBit 3.0

 

LockBit 3.0, the most recent version of LockBit ransomware, and BlackMatter contain similarities discovered by cybersecurity researchers. 

In addition to introducing a brand-new leak site, the first ransomware bug bounty program, LockBit 3.0, was released in June 2022. Zcash was also made available as a cryptocurrency payment method.

"The encrypted filenames are appended with the extensions 'HLJkNskOq' or '19MqZqZ0s' by the ransomware, and its icon is replaced with a.ico file icon. The ransom note then appears, referencing 'Ilon Musk'and the General Data Protection Regulation of the European Union (GDPR)," researchers from Trend Micro stated.

The ransomware alters the machine's wallpaper when the infection process is finished to alert the user of the attack. Several LockBit 3.0's code snippets were found to be lifted from the BlackMatter ransomware by Trend Micro researchers when they were debugging the Lockbit 3.0 sample.

Identical ransomware threats

The researchers draw attention to the similarities between BlackMatter's privilege escalation and API harvesting techniques. By hashing a DLL's API names and comparing them to a list of the APIs the ransomware requires, LockBit 3.0 executes API harvesting. As the publically accessible script for renaming BlackMatter's APIs also functions for LockBit 3.0, this procedure is the same as that of BlackMatter.

The most recent version of LockBit also examines the UI language of the victim machine to prevent infection of machines that speak these languages in the Commonwealth of Independent States (CIS) member states.

Windows Management Instrumentation (WMI) via COM objects is used by Lockbit 3.0 and BlackMatter to delete shadow copies. Experts draw attention to the fact that LockBit 2.0 deletes using vssadmin.exe.

The findings coincide with LockBit attacks becoming the most active ransomware-as-a-service (RaaS) gangs in 2022, with the Italian Internal Revenue Service (L'Agenzia delle Entrate) being the most recent target.

The ransomware family contributed to 14% of intrusions, second only to Conti at 22%, according to Palo Alto Networks' 2022 Unit 42 Incident Response Report, which was released and is based on 600 instances handled between May 2021 and April 2022.


Apple Awards Bounty of $100,500 for Finding Flaws in MacBook

In 2021, Apple patched a set of MacOs vulnerabilities exposing the Safari browser to attack and letting threat actors hack users' online accounts, cameras, and mic. Cybersecurity expert Ryan Pickren, who found these vulnerabilities and reported back to company Apple, was given a $100,500 bug bounty, considering the critical scale of the vulnerabilities. These bugs exploit a set of security issues with iCloud sharing and Safari 15. 

It allows the hacker to control multimedia permissions and gain full access to all sites that the user has opened using the Safari browser. It also includes Gmail, iCloud, PayPal, and Facebook accounts. The problem is primarily concerned with ShareBear, it is an iCloud file-sharing platform that prompts users to open a shared document. Pickren noticed that the prompt doesn't ask the user to open a file after a user opened it once. 

Pickren concluded that this can allow a threat actor to play with the file's components if he has access to the files. "ShareBear will then download and update the file on the victim's machine without any user interaction or notification. 

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment," explains Pickren in his writeup. In simpler terms, a .PNG format image file can have all its content and extension converted into an executable binary ("evil.dmg") once the user has opened the file. 

After this, one can launch the binary, which triggers exploit chain vulnerabilities that influence extra bugs found in Safari to control a system's mic and camera and steal local files stored in the device. It is not the first time Pickren disclosed bugs in iOS and macOS that allows a threat actor to gain access to a system and control its commands. 

The unauthorized access is gained when the victim opens a certain file type. He says "this project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous."

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!

Indian Security Researcher Finds Starbucks API Key Exposed on GitHub



Developers at Starbucks left an API (Application Programming Interface) key exposed to hackers with no password protection that could have been used by them to gain access to internal systems and consequently manipulate the list of authorized users. Hackers could have exploited the vulnerability in several ways which allowed them to execute commands on systems, add or remove the listed users and AWS account takeover.

The key was discovered by Vinoth Kumar who is an India security researcher, he happened to locate the open key in a public GitHub repository and responsibly reported it to Starbucks on 17th October via HackerOne vulnerability coordination and bug bounty platform. While reporting the same, HackerOne told, “Vinoth Kumar discovered a publicly available Github repository containing a Starbucks JumpCloud API Key which provided access to internal system information.”

“While going through Github search I discovered a public repository which contains JumpCloud API Key of Starbucks.” the expert himself told.

The key would have allowed an attacker to access a Starbucks JumpCloud API and hence the severity of the flaw was all the way up to critical. Colorado-based JumpCloud is an Active Directory management platform that offers a directory-as-a-service (DaaS) solution that customers employ to authorize, authenticate and manage users, devices, and applications. Other services it provides include web app single-on (SSO) and Lightweight Directory Access Protocol (LDAP) service.

The issue had been taken into consideration by Starbucks very early on, however, Kumar tends to take note of the same on October 21 and told that the repository had been taken down and the API key had been revoked. As soon as the company examined Kumar's proof-of-concept of the flaw and approved of the same, the expert was rewarded with a bounty worth US$4,000 for responsibly disclosing the vulnerability.

While commenting on the matter, Starbucks said, “Thank you for your patience! We have determined that this report demonstrates “significant information disclosure and is therefore eligible for a bounty,”

“At this time, we are satisfied with the remediation of the issue and are ready to move to closure. Thank you again for the report! We hope to see more submissions from you in the future.”

Huawei to Reward Hackers for Discovering Any ‘Secret Backdoors’ In Its Smartphone Technology


With the hopes of outdoing Google, Huawei announced in a "big bounty launch" to reward hackers for exhibiting a "critical" weakness in one of its Android devices.

Revealing the program at a private event for a few of the world's top Android hackers at Munich, Germany, a week ago, so much so that it even gave an example as to how the hackers could bag the first prize, as they would need to get remote access to the device without the target 'having to click anything'.

A high-severity hack would even see that the hacker could assume control over a phone when they had direct access to it.

The company is said to have been following Apple's lead in keeping the 'bug bounty invite-only'. As revealed on Twitter by Forbes 30 Under 30 alum Maria Markstedter, who was one of the invited guests, the researchers who were welcomed would likewise be offered tokens to invite other altruistic hackers too.

The bug bounty was at first announced by TechCrunch recently, yet no subtleties on payments or logistics have been uncovered.

Huawei additionally announced that for a "high"- severity issue, hackers can procure up to $110,000 (€100,000), while Google, in the interim, presents to $200,000 and $100,000 for exhibits of comparative attacks on its Pixel phones.

While bug bounties are very basic among major smartphone makers, it's Apple and Google fundamentally who are behind two of the most well-known.

Anyway, one significant explanation suspected as to why Huawei did this might be on the grounds that could provide solid evidence that it isn't concealing any 'secret backdoors' in its most prevalent phones that the Chinese government could use.

Interview with BugsBounty.com founder Himanshu Sharma

We had a chance to interview Himanshu Sharma, Founder of BugsBounty.com he has found security bugs in top organizations including Google, Facebook, Apple etc.

How did you get interested in the field of information security?
When I was in school, I had an interest in computers. Physics, mathematics went over my head - Computers were the only one thing which I could understand. Since then I started playing around with computers, breaking them, fixing them. One day my blog got hacked, I did not get angry at the Hacker. Instead, I was very fascinated and curious about how he did it. After that incident, I started to do research in this field and now here I am.

Can you tell us about your company?
BugsBounty.com basically is providing crowd sourced security solutions to corporate organizations. We host public and private programs but not all companies, especially in India, are ready to allow external people do testing. They believe it is risky. So in such cases, we can offer what we call "crowd simulation", which is unlike any other company is doing.

Crowd simulation - We have internal team, top hackers who we chosen from the crowd, we call them - "crowd hackers", they will simulate the crowd. So, for example, if we have a crowd about 10000 peoples, we will choose top 20 who are performing well. Currently, we have about 30 chosen hackers. "Crowd Simulation" is one of the thing that gives advantages over other companies as it gives them the power of the crowd yet trust of an internal team.

We have raised about 5 Millions from LLoyds ventures.

Is this company unique to India ?
Yes. It was very difficult and so risky to open company like this. it wasnt easy to take this risk. In our company the confidence is the most important thing. We trust each other and we know everything about every singe person in the team, who is working for us in a private group.

I might add, that we need to accept the fact that crowd security is the best form of security, which one can get. Even the Pentagon has accepted it already. Its time for you now.

How did you come up with the idea?
One day I realized that I need to show Indian companies that security is very important thing and so we suggested to use crowd security inplace or concurrent to a typical VAPT company! I believe 1000 brains in the crowd are better than 10 in your office.

What do yo think about the bug bounty market in India?
Actually, people now are more opening up. We have worked with over 80 clients in the past year, and a lot of them are from India - So it's pretty big of a market.

Do you think Indian corporates have enough security?
Indian corporates do have quite some security in place. However, to ensure a better state of security, the power of the crowd has to be utilized. "The security of your website is as good as the best hacker that has tested you."


Zerodium offers $1 million for iOS 9 jailbreak


Here comes a time when companies are offering money to hackers who can provide a way of infecting the iPhones and iPads of individuals.

Zerodium, a company that acquires exploits, has announced to pay $1 million USD to those that can provide a good enough iOS 9 jailbreak.

The company launched "The Million Dollar iOS 9 Bug Bounty" program which aimed to buy an "exclusive, browser-based, and untethered jailbreak" for Apple's latest mobile operating system.

The company explained the reason behind the program in a blog, “Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play.”

According to the post, the Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by ZERODIUM to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.

“ZERODIUM will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to ZERODIUM an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” the company added.

The company has given some rules which a hacker need to follow the jailbreak must be reliable, silent, and doesn't require any actions to be taken by the user, save for visiting a web page or reading a text/MMS message. Similarly, they must work on a wide range of Apple hardware, including the iPhone 6S and 6S Plus. The pair of phones doesn't go on sale until September 25, while the bounty program expires on October 31, giving people a little over a month to get their potential exploits working on the new phones.

“Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits. All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak,” the post added.

Flaw in Sync photos feature on Facebook mobile app


A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

Single RCE Vulnerability that affects Microsoft, Yahoo and Orange

Ebrahim Hegazy, a Bug Bounty Hunter from Egypt, has identified a security vulnerability that allowed him to hack Microsoft, Yahoo and Orange.

While he is on the hunt for a security bug in Yahoo domains, he found a web page that allowed him to upload .aspx file and modify the existing aspx files. 

You can just create a new file by sending POST request to the URL " http://mx.horoscopo.yahoo.net/ymx/editor/inc/GenerateFile.aspx" with the following post content: "FileName=New_File_Name.aspx&FileContent=File_Content_Here".

Ebrahim has simply uploaded a file called 'zigoo.aspx' with 'zigoo' as content.  To find out other Yahoo domains that were affected by the same vulnerability, researcher did a Bing search.

The following domains were also affected by this bug: **.horoscopo.yahoo.net, astrocentro.latino.msn.com, horoscopo.es.msn.com, astrologia.latino.msn.com, horoscopos.prodigy.msn.com and astrocentro.mujer.orange.es.

Interesting fact about this vulnerability is that the page created in Yahoo domain reflected in other domains also.

"It’s A CDN(Content Delivery Network) Service for astrology that cashes the same content to render it for the sub domains of that mentioned vulnerable domains, So all files on one domain will be shown on all other domains on the server." Researcher says.

After reporting to Yahoo, Yahoo has rewarded the researcher with some bounty.  As usual, Microsoft didn't give any reward to the researcher.

Earlier this year, Ebrahim discovered a critical Remote PHP Code Injection vulnerability in one of the Yahoo domains. 

Yahoo using 'admin' as username and password, leads to RCE


Behrouz Sadeghipour, a bug bounty hunter, has found a critical vulnerability in one of the subdomain of Yahoo(hk.yahoo.net) that allowed him to access admin panel.

It is funny to know that the hk.yahoo.net is using 'admin' as username and password for its panel.

After gaining access to the admin panel, he managed to upload his backdoor shell to the server.  Using the shell, he was able to delete or create any file or run any commands on the server.

He was also able to control few other subdomains of Yahoo.  After getting notification from the researcher, Yahoo has patched the security hole.  Researcher is still waiting for his bounty. 

In addition to this bug, he also found another vulnerability 'Directory Traveral attack' on health.yahoo.com that allowed him to read the contents of '/etc/passwd' files on the server. 

Bug Bounty Programs: Github now offers $100 to $5000 for security vulnerability

Github is the latest organization to join the list of organizations offering Bounty to security researchers who find and report vulnerabilities.

Github has previously listed the name of those who report vulnerabilities in the 'Hall of fame' page, now offers bounty amount starting from $100 to $5,000. 

The exact bounty amount for each vulnerability is determined by GitHub based on actual risk and potential impact to their users.

Let us say, you find a non-persistent XSS vulnerability which only work in Opera browser(affects only 2% of its users) will get small bounty.  If you managed to find a Persistent(stored) XSS that will work in Chrome(affects 60% of its users), it will earn you larger reward. 

The bounty program currently covers the GitHub API, GitHub Gist and GitHub.com.  GitHub says its other applications are not part of the open bounty, but researchers may receive a bounty at its discretion.

So far, two researchers have received 1000 points for reporting 'Broken Authentication or Session Management' and 'Missing Function Level Access Control'

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.

Researcher gets $33,500 for Remote Code Execution Vulnerability in Facebook


Here comes a critical bug discovered in Facebook and biggest bounty ever paid by Facebook for reporting vulnerability in their website.

Reginaldo Silva, A Brazilian Hacker, has discovered a highly critical Remote Code Execution(RCE) vulnerability in the Facebook which could allowed attackers to read any files from the server.  It could also allowed attackers to run malicious code in the server.

In September 2012, he first discovered XML External Entity Expansion bug in the Drupal that handled OpenID.  OpenID is an open technology that allows users to authenticate to websites without having to create a new password.

He found similar bug affecting the Google's App Engine and Blogger.  However, it is not critical as he wasn't able to access the arbitrary file or open network connections, he received $500 reward from Google.

He found out plenty of other websites implementing OpenID are vulnerable to RCE. 

Recently, Silva learned that "facebook forgot password" page is also using OpenID provider to verify the identity of the user.  He managed to discover the XXE bug in Facebook that allowed him to read the "etc/passwd" file from the server.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed." Silva wrote in his blog.

He thought it will take time to fix the bug.  However, the facebook security team responded quickly and fixed issue within 3.5 hours.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers." silva said.

He has been rewarded with a bounty of $33,500.

Hacking Challenge : Hack Tresorit and get $25,000 Bounty

 

Hungarian developers Istvan Lam and Szilveszter Szebeni are offering $25,000 Bounty to any White hat hackers who can hack the layers of defenses protecting their startup "Tresorit" , VentureBeat reports.

Tresorit is intended to offer a truly secure cloud storage service where user's files, passwords, encryption keys never stored in unencrypted form - being referred as high-security alternative to DropBox.

"Files and some corresponding encryption keys can only be decrypted by the people you have explicitly shared with."

The site offers client-side encryption in which the encryption of files is performed before getting into the cloud.  The AES-256 standard is used for encrypting the files.

"All of our data centers employ physical security measures against intrusion, and are equipped with uninterruptible power and backup systems."

Hacker who exploits Windows 8.1 will get $100,000


Microsoft finally launched a security bug Bounty Programs, is now willing to pay researchers for reporting certain type of vulnerabilities and exploitation techniques, according to official blog post.

Security researcher who is able to bypass the upcoming Windows 8.1 preview version will get up to $100K USD

Researcher who give "Defensive ideas that accompany a qualifying Mitigation Bypass submission" will get $50K USD.

Apart from the two Bounties, Microsoft also offers $11K USD "for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview"

Anyone who is willing to participate in the Microsoft’s Mitigation Bypass Bounty, you can register for BlackHat conference.  Researcher who successfully bypass the Windows 8.1 in the target laptop will get the reward.

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

Paypal running out of Money in its Bug Bounty budget

It seems like Paypal is running out of Money in its Bug Bounty budget.  Bug Hunters started to report that the Paypal stopped to give Bounties. 

Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.

But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."


XSS vulnerability in Paypal-marketing
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php.  POCs for these vulnerabilities can be found here.

Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.

*Update*:
 Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:

Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.


Sites to be decommissioned in coming months:
  • paypal-deutschland.de
  • paypal-danmark.dk
  • paypal-promo.es
  • paypal-europe.com
  • paypal-france.fr
  • paypal-nederland.nl
  • paypal-norge.no
  • paypal-marketing.pl
  • paypal-sverige.se
  • paypal-turkiye.com
  • paypal-business.co.uk
  • paypal-marketing.co.uk
  • paypal-shopping.co.uk
  • paypal-australia.com.au
  • paypal-biz.com
  • paypal-business.com.hk
  • paypal-marketing.com.hk
  • paypal-offers.com.hk
  • paypal-shopasia.com
  • paypal-japan.com
  • paypal-apac.com
  • paypal-plaza.com
  • thepaypalblog.com
  • www.paypal-brasil.com.br
  • paypal-marketing.ca

Blind SQL Injection vulnerability in PayPal Notifications website



An Indian Security Researcher Prakhar Prasad has discovered a Blind SQL Injection vulnerability in Paypal Notifications website(paypal-notify.com) that allowed researcher to access database of Paypal notification system.

" As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team " The researcher said in his blog.


SQLMap displays the Database name after injection


The PayPal security team patched the vulnerability immediately, just the next day after the Prasad's vulnerability report due to its high severity.

The Paypal security team patched the vulnerability and rewarded the researcher with $3000 for the SQLi and additional $350 for other less critical bugs on 21st January.

Avast Introduces Avast Bug Bounty Program


It seems like the security company Avast is attracted by the Bug Bounty Programs. Today, Avast officially announced the Bug Bounty program.

Bug Bounty program is the place where Security researchers love to find vulnerabilities in target website or Software and get rewarded for their findings.

"As a security company, we very much realize that security bugs in software are reality." The official blog post reads ." But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful [than] those that don’t. "

Avast claims that their firm is the first Security vendor  with a reward program.

The company is only interested in the following types of bugs :Remote code execution, Local privilege escalation , Denial-of-service (DoS), Escapes from the avast! Sandbox(via bugs in code), Other bugs with serious security implications.

The base payment is $200 per bug. Depending on the criticality of the bug , the bounty will go much higher. Remote code execution bugs will pay at least $3,000 – $5,000 or more.

Facebook vulnerability allowed hackers to record video of user and post in his wall


A Cross Site Request Forgery(CSRF) vulnerability in Facebook allowed hackers to record video of target users and post in the victim's wall. The vulnerability was discovered by security researchers Aditya Gupta and Subho Halder, from XYSEC Team .

A malicious hacker could record trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.

In a youtube video, researcher demonstrate how an attacker could exploit this vulnerability in a Youtube video.

Four months after researcher notified facebook about the security flaw, facebook finally emailed them that their finding is eligible to receive a bug bounty of $2500, that will come as a Facebook WhiteHat Debit Card.

PoC: