Snapchat - HackerOne
critical - Exposed Kubernetes API - RCE/Exposed Creds (25000.00USD)
@txt3rob found one of Snaps internal Kubernetes instances exposing an API endpoint without authorization to the public. With access to this API he was able to run arbitrary code/jobs as a cluster-admin and gained access to credentials with internal access to a significant number of instances.
Snapchat - HackerOne
high - Stealing SSO Login Tokens ( (7500.00USD)
@coolboss was able to chain multiple security issues, which allowed him to extract SSO tokens from Snapchat users by sending them to a malicious website.
Snapchat - HackerOne
critical - Publicly accessible Continuous Integration Tool
@apfeifer27 found an internal Continuous-Integration instance, which disclosed internal source code and credentials for some of our instances.
Cisco Talos Intelligence Group
Threat Spotlight: Solarmarker
error code: 1020
Project Zero Bug Tracker
Exchange: AD Schema Misconfiguration Elevation of Privilege
Acronis - HackerOne
high - Blind Stored XSS in which lead to sensitive information/PII leakage (150.00USD)
Blind XSS was possible on (Tier 3) via several contact form fields. We have seen no signs of the exploitation of this vulnerability.
MTN Group - HackerOne
critical - SQL Injection on the administrator panel
Hello team. The admin panel of the website is or is vulnerable to sql attack via ## Request ``` POST /webadmin/index.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:...
Squid Cache (IBB) - HackerOne
high - Buffer Overflow in ext_lm_group_acl helper
## Summary Due to incorrect buffer management ext_lm_group_acl is vulnerable to a denial of service attack when processing NTLM Authentication credentials. This problem is limited to installations using the ext_lm_group_acl binary. ## Affected Versions Squid 2.x -> 2.7.STABLE9 Squid 3.x -> 3.5.28 Squid 4.x -> 4.9 ## Severity Due to incorrect input validation the NTLM authentication...
UPchieve - HackerOne
critical - blind sql on [ ]
## Summary: [i have discoverd a blind sql on your site login page which i confirmed using two scenarios to confirm its existance.] ## Steps To Reproduce: [add details for how we can reproduce the issue] use the following payloads this one retured a 200 ok response confirming sql vulnerability existance id=291751-sleep(5)&hash=f42ffae0449536cfd0419826f3adf136 this one was blocked...
Diversity, Equity, Inclusion, and Belonging at Praetorian: Reflecting the World We Want to Protect
This article looks at how cybersecurity solutions company Praetorian is tackling diversity, equity, inclusion, and belonging in 2021.
Zero Day Initiative
CVE-2021-27077: Selecting Bitmaps into Mismatched Device Contexts
In March 2021, Microsoft released a patch to correct a vulnerability in the Windows GDI subsystem. The bug could allow an attacker to execute code with escalated privileges. This vulnerability was reported to the ZDI program by security researcher Marcin Wizowski. The patch for CVE-2021-27077
Writing a (toy) symbolic interpreter, and solving challenges, part 3
In this installment, we turn the concrete interpreter into a symbolic interpreter.
Cisco Talos Intelligence Group
Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit PDF Reader
error code: 1020
PDF-Malware: An Overview on Threats, Detection and Evasion Attacks
In the recent years, Portable Document Format, commonly known as PDF, has become a democratized standard for document exchange and dissemination. This trend has been due to its characteristics such as its flexibility and portability across platforms. The widespread use of PDF has installed a false impression of inherent safety among benign users. However, the characteristics of PDF motivated hackers to exploit various types of vulnerabilities, overcome security safeguards, thereby making the PDF format one of the most efficient malicious code attack vectors. Therefore, efficiently detecting malicious PDF files is crucial for information security. Several analysis techniques has been proposed in the literature, be it static or dynamic, to extract the main features that allow the discrimination of malware files from benign ones. Since classical analysis techniques may be limited in case of zero-days, machine-learning based techniques have emerged recently as an automatic PDF-malware...
Google Security Blog
A new chapter for Google’s Vulnerability Reward Program
Posted by Jan Keller, Technical Program Manager, Google VRP A little over 10 years ago , we launched our Vulnerability Rewards Program (VR...
Shopify - HackerOne
critical - Github access token exposure (50000.00USD)
On January 26, @augustozanellato reported that while reviewing a public MacOS app, they found a valid GitHub Access Token belonging to a Shopify employee. This token had read and write access to Shopify-owned GitHub repositories. Upon validating the report, we immediately revoked the token and performed an audit of access logs to confirm no unauthorized activity had occurred.
NCC Group Research
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Technical Advisory - Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Cisco Talos Intelligence Group
Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System
error code: 1020
fail2ban – Remote Code Execution
This article is about the recently published security advisory for a pretty popular software, fail2ban (CVE-2021-32749). It is about a bug that may lead to Remote Code Execution.
Phabricator - HackerOne
high - Git flag injection leads to arbitrary file write
keyword : mongoose #PoC 1. Login and generate API token 2. Create a repo and push several commits to phabricator 3. Execute diffusion api ``` curl http://dev.localhost/api/diffusion.internal.gitrawdiffquery \ -d api.token=api-token \ -d commit=--output%3D/tmp/qqq \ -d repository=R2 ``` 4. `qqq` file will be created in `tmp` directory. And the content of `qqq` contains the output...
A Survey of Wearable Devices Pairing Based on Biometric Signals
With the growth of wearable devices, which are usually constrained in computational power and user interface, this pairing has to be autonomous. Considering devices that do not have prior information about each other, a secure communication should be established by generating a shared secret key derived from a common context between the devices. Context-based pairing solutions increase the usability of wearable device pairing by eliminating any human involvement in the pairing process. This is possible by utilizing onboard sensors (with the same sensing modalities) to capture a common physical context (e.g., body motion, gait, heartbeat, respiration, and EMG signal). A wide range of approaches has been proposed to address autonomous pairing in wearable devices. This paper surveys context-based pairing in wearable devices by focusing on the signals and sensors exploited. We review the steps needed for generating a common key and provide a survey of existing techniques utilized in each...
Breath to Pair (B2P): Respiration-Based Pairing Protocol for Wearable Devices
We propose Breath to Pair (B2P), a protocol for pairing and shared-key generation for wearable devices that leverages the wearer's respiration activity to ensure that the devices are part of the same body-area network. We assume that the devices exploit different types of sensors to extract and process the respiration signal. We illustrate B2P for the case of two devices that use respiratory inductance plethysmography (RIP) and accelerometer sensors, respectively. Allowing for different types of sensors in pairing allows us to include wearable devices that use a variety of different sensors. In practice, this form of sensor variety creates a number of challenges that limit the ability of the shared-key establishment algorithm to generate matching keys. The two main obstacles are the lack of synchronization across the devices and the need for correct noise-induced mismatches between the generated key bit-strings. B2P addresses the synchronization challenge by utilizing Change...
Mitigating Power Attacks through Fine-Grained Instruction Reordering
Side-channel attacks are a security exploit that take advantage of information leakage. They use measurement and analysis of physical parameters to reverse engineer and extract secrets from a system. Power analysis attacks in particular, collect a set of power traces from a computing device and use statistical techniques to correlate this information with the attacked application data and source code. Counter measures like just-in-time compilation, random code injection and instruction descheduling obfuscate the execution of instructions to reduce the security risk. Unfortunately, due to the randomness and excess instructions executed by these solutions, they introduce large overheads in performance, power and area. In this work we propose a scheduling algorithm that dynamically reorders instructions in an out-of-order processor to provide obfuscated execution and mitigate power analysis attacks with little-to-no effect on the performance, power or area of the processor. We exploit...
On Boolean Functions with Low Polynomial Degree and Higher Order Sensitivity
Boolean functions are important primitives in different domains of cryptology, complexity and coding theory. In this paper, we connect the tools from cryptology and complexity theory in the domain of Boolean functions with low polynomial degree and high sensitivity. It is well known that the polynomial degree of of a Boolean function and its resiliency are directly connected. Using this connection we analyze the polynomial degree-sensitivity values through the lens of resiliency, demonstrating existence and non-existence results of functions with low polynomial degree and high sensitivity on small number of variables (upto 10). In this process, borrowing an idea from complexity theory, we show that one can implement resilient Boolean functions on a large number of variables with linear size and logarithmic depth. Finally, we extend the notion of sensitivity to higher order and note that the existing construction idea of Nisan and Szegedy (1994) can provide only constant higher order...
Writing a (toy) symbolic interpreter, and solving challenges, part 2
In the second part of this series, we write a concrete interpreter for a subset of WebAssembly.
The Internet - HackerOne
high - [CVE-2020-27194] Linux kernel: eBPF verifier bug in `or` binary operation tracking function leads to LPE (750.00USD)
CVE-2020-27194 is a eBPF verifier bug that allows an unprivileged attacker to create BPF socket filter programs that can read and write Out of Bounds, trough which an arbitrary kernel read write can be achieved. I'm taking the root cause explanation from the patch email: ``` Simon reported an issue with the current scalar32_min_max_or() implementation. That is, compared to the other 32 bit...
NCC Group Research
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
NCC Group - Technical Advisory ICTFAX 7-4 Indirect Object Reference
ZLeaks: Passive Inference Attacks on Zigbee based Smart Homes
In this work, we analyze the privacy guarantees of Zigbee protocol, an energy-efficient wireless IoT protocol that is increasingly being deployed in smart home settings. Specifically, we devise two passive inference techniques to demonstrate how a passive eavesdropper, located outside the smart home, can reliably identify in-home devices or events from the encrypted wireless Zigbee traffic by 1) inferring a single application layer (APL) command in the event's traffic burst, and 2) exploiting the device's periodic reporting pattern and interval. This enables an attacker to infer user's habits or determine if the smart home is vulnerable to unauthorized entry. We evaluated our techniques on 19 unique Zigbee devices across several categories and 5 popular smart hubs in three different scenarios: i) controlled shield, ii) living smart-home IoT lab, and iii) third-party Zigbee captures. Our results indicate over 85% accuracy in determining events and devices using the command inference...
Membership Inference Attack and Defense for Wireless Signal Classifiers with Deep Learning
An over-the-air membership inference attack (MIA) is presented to leak private information from a wireless signal classifier. Machine learning (ML) provides powerful means to classify wireless signals, e.g., for PHY-layer authentication. As an adversarial machine learning attack, the MIA infers whether a signal of interest has been used in the training data of a target classifier. This private information incorporates waveform, channel, and device characteristics, and if leaked, can be exploited by an adversary to identify vulnerabilities of the underlying ML model (e.g., to infiltrate the PHY-layer authentication). One challenge for the over-the-air MIA is that the received signals and consequently the RF fingerprints at the adversary and the intended receiver differ due to the discrepancy in channel conditions. Therefore, the adversary first builds a surrogate classifier by observing the spectrum and then launches the black-box MIA on this classifier. The MIA results show that the...
Khan Academy - HackerOne
high - Enumerate all the class codes via google dorking
Here's the write-up for this issue.
Bumble - HackerOne
high - Exfiltrating a victim's exact location (to within 5m) (2000.00USD)
I used Bumble's distance feature to exfiltrate the exact location (to within approx 5m) of a victim. I did this by using the Bumble API to move my attacker account's location around the approximate area of the victim. I was able to obtain the exact distance between attacker and victim at 3 separate locations, and I then used trilateration...
Phabricator - HackerOne
high - Broken Authentication and Session Management lead to take over account
Hello, I found vulnerability using phone Summary : Session token weakness, allowing attackers to take over accounts Tools : Lightning.apk (Browser) SandroProxy.apk or you can use all available proxies Steps to Reproduce: 1) Create a phacility account. 2) Go to 3) Add new account 4) Open SandroProxy (Capture all http request)...
curl - HackerOne
high - CVE-2021-22924: Bad connection reuse due to flawed path name checks (1200.00USD)
## Summary: `Curl_ssl_config_matches` attempts to compare whether two SSL connections have identical SSL security options or not. The idea is to avoid reusing a connection that uses less secure, or completely different security options such as capath, cainfo or certificate/issuer pinning. Unfortunately this function has several flaws in it: 1. It completely fails to take into account "BLOB"...
Guest Blog Post - Attacking the DevTools
In this post, weve invited David Erceg, one of the participants in the Edge bug bounty program, to talk about interesting bugs he found in Edge. By sharing this information, we hope more security researchers are motivated to work with us to improve the security of Edge and Chromium as a whole. Introduction Within Chromium and its derivatives, the DevTools is an interesting attack surface. Thats because the DevTools itself is fairly highly privileged, especially if its attached to a page as part of a debugging session. Therefore, bugs within the DevTools can allow a malicious extension to escalate its privileges. Thats because an extension may have the ability to load DevTools URLs and once an extension can do that, it can potentially take advantage of any bugs that are present. The post here will examine how an extension could, in previous versions of Chrome/Edge, run code within the context of the DevTools and how the ability to do that could allow the extension to run code outside...
Threat Intelligence: Tools for Making Your Blue Team Smarter
An overview of threat intelligence, including different types and lifecycle stages that help organizations defend against cyber threats.
Zero Day Initiative
CVE-2021-31969: Underflowing in the Clouds
With the popularity of cloud storage, various operating systems have added services and functionalities to support such storage. You can now have your storage in the cloud while exploring it locally on your system. On Windows, this is done via the Cloud Sync Engine. This component exposes a native A
QilingLab – Release
Release of the QilingLab challenge.
Firmware Re-hosting Through Static Binary-level Porting
The rapid growth of the Industrial Internet of Things (IIoT) has brought embedded systems into focus as major targets for both security analysts and malicious adversaries. Due to the non-standard hardware and diverse software, embedded devices present unique challenges to security analysts for the accurate analysis of firmware binaries. The diversity in hardware components and tight coupling between firmware and hardware makes it hard to perform dynamic analysis, which must have the ability to execute firmware code in virtualized environments. However, emulating the large expanse of hardware peripherals makes analysts have to frequently modify the emulator for executing various firmware code in different virtualized environments, greatly limiting the ability of security analysis. In this work, we explore the problem of firmware re-hosting related to the real-time operating system (RTOS). Specifically, developers create a Board Support Package (BSP) and develop device drivers to make...
Leaking Secrets through Modern Branch Predictor in the Speculative World
Transient execution attacks that exploit speculation have raised significant concerns in computer systems. Typically, branch predictors are leveraged to trigger mis-speculation in transient execution attacks. In this work, we demonstrate a new class of speculation-based attack that targets branch prediction unit (BPU). We find that speculative resolution of conditional branches (i.e., in nested speculation) alter the states of pattern history table (PHT) in modern processors, which are not restored after the corresponding branches are later squashed. Such characteristic allows attackers to exploit BPU as the secret transmitting medium in transient execution attacks. To evaluate the discovered vulnerability, we build a novel attack framework, BranchSpectre, that enables exfiltration of unintended secrets through observing speculative PHT updates (in the form of covert and side channels). We further investigate PHT collision mechanism in the history-based predictor as well as the branch...
Google Security Blog
Protecting more with Site Isolation
Posted by Charlie Reis and Alex Moshchuk, Chrome Security Team Chrome's Site Isolation is an essential security defense that makes it har...
Google Security Blog
Advancing an inclusive, diverse security industry
Posted by Sarah Morales, Community Outreach Manager, Security Its no secret that lack of diversity in corporate America is a well-document...
Project Zero Bug Tracker
Windows: WFP Default Rules AppContainer Capability Bypass EoP
Writing a (toy) symbolic interpreter, and solving challenges, part 1
Writing a symbolic interpreter, and wiring it to a solver in order to solve reverse engineering challenges (or other uses), might seem like a daunting task. Even simply using an existing symbolic inte
GitLab - HackerOne
high - Stored XSS in custom emoji (3000.00USD)
### Summary I found Stored XSS with a feature of custom emoji. This feature hasn't been rolled out yet and need to set feature flags in self management installation. ( ) The problem is the code here. ```ruby def emoji_image_tag(name, src) "<img...
How to detect a cyberattack and prevent money theft
Money theft is one of the most important risks for any organization, regardless of its scope of activity. According to our data, 42% of cybe...
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2
Combining Part 1s information leak vulnerability with a pool overflow vulnerability to obtain code execution via grooming the kLFH
Cisco Talos Intelligence Group
Vulnerability Spotlight: Multiple vulnerabilities in D-LINK DIR-3040
error code: 1020
Nextcloud - HackerOne
high - Scoped apptokens can be changed by that very apptoken (1000.00USD)
I noticed that there is the possibility to limit apptokens to not be able to access the filesystem. 1. Create a new apptoken in `https://server/settings/user/security` 2. Click the .. of your new apptoken and make it not allowed to access the filesystem 3. Log out 4. Navigate to `https://server/remote.php/dav` and login with your username + apptoken 5. Navigate again to...
Google Security Blog
Verifiable design in modern systems
Posted by Ryan Hurst, Production Security Team The way we design and build software is continually evolving. Just as we now think of securit...
Cisco Talos Intelligence Group
Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
error code: 1020