Search This Blog

Showing posts with label Bug Bounty. Show all posts

LockBit 3.0: Launch of Ransomware Bug Bounty Program

 

The "LockBit 3.0" ransomware update from the LockBit ransomware organization features the first spyware bug bounty program, new extortion methods, and Zcash cryptocurrency payment choices. After two months of beta testing, the notorious gang's ransomware-as-a-service (RaaS) operation, which has been operational since 2019, recently underwent an alteration. It appears that hackers have already employed LockBit 3.0.

Bug bounty plan for LockBit 3.0 

With the launch of LockBit 3.0, the organization launched the first bug bounty program provided by a ransomware gang, which asks security researchers to disclose bugs in exchange for incentives that can go as high as $1 million. In addition to providing bounties for vulnerabilities, LockBit also pays rewards for "great ideas" to enhance the ransomware activity and for doxing the operator of the affiliate program, identified as LockBitSupp, which had previously posted a bounty plan in April on the XSS hacking site.

"We open our bug bounty program to any security researchers, ethical and unethical hackers worldwide. The compensation ranges from $1,000 to $1,000,000," reads the page for the LockBit 3.0 bug reward. The notion of initiating the criminal operation would be against the law in many nations, however, makes this bug reward scheme a little different from those frequently utilized by respectable businesses.

LeMagIT claims that version 3.0 of LockBit includes several other improvements, such as new methods for data recovery and monetization, as well as the option for victims to choose to have their data destroyed, and the ability for victims to make payments using the Zcash cryptocurrency in addition to Bitcoin and Monero. 

LockBit is producing outcomes. In May, LockBit 2.0 succeeded Conti as the leading provider of ransomware as a service. The gang's previous ransomware, LockBit 2.0, was to be blamed for 40% of the attacks that NCC Group observed in the preceding month. Moreover, according to Matt Hull, worldwide lead for strategic threat intelligence at NCC, The most prolific threat actor of 2022 is Lockbit 2.0,  In times like these, it's imperative that businesses become familiar with their strategies, methods, and processes.

It is unclear how this new extortion technique will operate or even whether it is activated because the LockBit 3.0 data leak site currently does not have any victims. With its public-facing manager actively interacting with other malicious actors and the cybersecurity community, LockBit is one of the most prolific ransomware campaigns.

Bug Bounty Hunter Finds Google Drive Integration Vulnerability

Implementation vulnerabilities in Google Drive integrations created various server-side-request-forgery (SSRF) flaws in various applications, say cybersecurity experts. It also includes Dropbox's HelloSign, a digital signature platform, however, the latest SSRF was gained by CRLF and asks pipeline in other, anonymous applications, says Bug Bounty hunter Harsh Jaiswal. Jaiswal won a bounty reward of $17,576 for a basic but important SSRF associated with HelloSign's Google Drive Docs export feature. 

If one uses an extra parameter in Google Drive API, it is possible for experts to compelled HelloSign for parsing external JSON data that leads to an SSRF attack. Dropbox has updated the parser securely making a request mitigating the flaw. 

The implementation issues surfaced in integrations that retrieved files from Google Drive API in the servers. To explain the issue, Jaiswal laid out a situation where an app collects and renders an image file in Google Drive in a way that allows hackers to gain control of HTTP requests made to Google APIs via file ID. A user can make a path traversal, adding query parameters. 

The Daily Swig reports "Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable. However, he found another route to SSRF. Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl." A payload consisting of a malicious JSON element download Url. 

The SSRF through CRLF and pipeline was discovered on a private bug bounty competition and linked to Google Drive slides retrieval. Only the path traversal technique worked and not the query parameters. "Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining. If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug," reports the Daily Swig.

Live XSS Flaw Exists in DMCA-dot-com

 

The user interface of the takedowns website DMCA-dot-com has an active cross-site scripting (XSS) vulnerability. It's been there for almost a year and has not been addressed. 

After more than a year of attempting and failing to convince DMCA-dot-com to take the XSS seriously, Infosec researcher Joel Ossi, founder of Dutch security firm Websec, disclosed his findings. "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface that allowed him to create an XSS. 

A copyright takedown service is DMCA-dot-com. Users pay the site to conduct the time-consuming task of obtaining an alleged copyright infringer's work to be removed from the Internet utilising the infamous US Digital Millennium Copyright Act. The cost of a takedown could be as high as $199. 

On a video conference with The Register, Ossi shared his findings in real-time. The typical XSS tell-tale — a popup with a personalized message – displayed every time he navigated to a new webpage in the DMCA-dot-com user area. The script for doing so was actually fairly straightforward: When he originally discovered the flaw in late 2020, he spent a year attempting and failed to obtain the attention of the operators of DMCA-dot-com. 

DMCA-dot-last com's message to Ossi stated, "Our development team will be reaching out if / when they need to. Our support department cannot help you on this," as he tried to persuade helpdesk staff to forward his vulnerability report. When he asked for a bug bounty, El Reg confirmed that Ossi had made complete confidential disclosure of his discoveries before addressing the issue of payment.

Both Ossi and The Register attempted to contact DMCA-dot-com several times and in The Register's instance, the company didn't even respond to the attempts to reach them. While Ossi was the first to discover the XSS flaws in DMCA-dot-com, he isn't the only one. Two different entries on the Open Bug Bounty site, one from April and the other from June, indicate XSS vulnerabilities in DMCA. 

Cross-site scripting vulnerabilities, let a malicious person run scripts on another person's website. The problem often exists because free text entry forms do not sanitize user inputs, as per MITRE. An attacker could gain access to a DMCA-dot-com account by extracting active login tokens from cookies. According to Ossi, it wouldn't take much to falsely bill for services, remove DMCA-dot-com's security features from a webpage, or delete an account. 

Jake Moore, a global cybersecurity advisor to infosec firm ESET, told The Register: "Cross-site scripting vulnerabilities can allow an attacker to masquerade as a standard user and carry out any actions that the user is able to perform such as access the user's data. User accounts can then ultimately be compromised and credentials or other information could be stolen with great ease." 

Immersive Labs' app security specialist Sean Wright further added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client-side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

It's anticipated that someone at DMCA-dot-com pays attention to the flaw disclosure from a year and a half ago.

Apple Awards Bounty of $100,500 for Finding Flaws in MacBook

In 2021, Apple patched a set of MacOs vulnerabilities exposing the Safari browser to attack and letting threat actors hack users' online accounts, cameras, and mic. Cybersecurity expert Ryan Pickren, who found these vulnerabilities and reported back to company Apple, was given a $100,500 bug bounty, considering the critical scale of the vulnerabilities. These bugs exploit a set of security issues with iCloud sharing and Safari 15. 

It allows the hacker to control multimedia permissions and gain full access to all sites that the user has opened using the Safari browser. It also includes Gmail, iCloud, PayPal, and Facebook accounts. The problem is primarily concerned with ShareBear, it is an iCloud file-sharing platform that prompts users to open a shared document. Pickren noticed that the prompt doesn't ask the user to open a file after a user opened it once. 

Pickren concluded that this can allow a threat actor to play with the file's components if he has access to the files. "ShareBear will then download and update the file on the victim's machine without any user interaction or notification. 

In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment," explains Pickren in his writeup. In simpler terms, a .PNG format image file can have all its content and extension converted into an executable binary ("evil.dmg") once the user has opened the file. 

After this, one can launch the binary, which triggers exploit chain vulnerabilities that influence extra bugs found in Safari to control a system's mic and camera and steal local files stored in the device. It is not the first time Pickren disclosed bugs in iOS and macOS that allows a threat actor to gain access to a system and control its commands. 

The unauthorized access is gained when the victim opens a certain file type. He says "this project was an interesting exploration of how a design flaw in one application can enable a variety of other, unrelated, bugs to become more dangerous."

New Safari Vulnerability Could have given Attackers Access to Your Mac Webcam

 

Apple has awarded a cybersecurity student $100,500 (roughly Rs 75,54,000) in bounty rewards for finding a bug in Apple’s macOS, which enabled malicious actors to access the victims’ logged-in online accounts and even get into their webcams. 

Ryan Pickren, reported the flaw to Apple last summer, and was patched earlier this month. Pickren is no stranger to Apple bugs, as he uncovered an iPhone and Mac camera vulnerability earlier in April 2020. Now, he has exposed another Mac webcam bug that allows attackers to breach into the device and access sensitive user information. 

According to a report by AppleInsider, this Apple Mac webcam bug was related to a series of issues with iCloud and Safari browser. 

The vulnerability grants the hacker "full access to every website you've visited in Safari, meaning that if you're visiting my evil website on one tab, and then your other tab, you have Twitter open, I can jump into that tab and do everything you can from that screen. So, it does allow me to fully perform an account takeover on every website you visited in Safari," Pickren explained in a blog post. 

According to Pickren, it all began with exploiting the Safari browser (Safari v15 when he attempted this) and gaining access to the webarchive files. Webarchives are local storage for the Safari browser where it saves local copies of websites to open them faster. This wouldn’t be a problem, were it not for the simple fact that the downloaded files could later be altered by the author. So, a victim could download an innocent .PNG file, only to have it transform into a malicious webarchive file. 

“In essence, the victim has given the attacker permission to plant a polymorphic file onto their machine and the permission to remotely launch it at any moment. Yikes. Agreed to view my PNG file yesterday? Well, today it's an executable binary that will be automatically launched whenever I want,” Picker explained in a further blog post.

To open the webarchive file, Pickren further explains, he needed to bypass the Gatekeeper restriction, which turned out to be relatively simple. He used a fileloc to point to a local app (a technique known as Arbitrary File Execution) which was a great example of how even with macOS Gatekeeper enabled, an attacker could trick approved apps into performing malicious tasks 

Typically, researchers disclose the exploits after the company has fixed the issue, which explains why Pickren is posting about this now. The reason is to ensure that the flaw is patched before attackers can start exploiting it. 


Researcher Detects 70 Web Cache Poisoning Vulnerabilities, Gets $40k in bug bounty rewards

 

Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet. 

Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services. 

The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks. These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster. Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients. 

Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.” 

Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post. 

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.

“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.” 

Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients. 

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said. 

Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case. 

For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers. 

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said. 

The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.

Facebook Patched a Vulnerability that Exposed the Identity of Page Admins

 

Facebook gave a $4,750 bug bounty reward to a teenage researcher from Nepal for discovering a vulnerability that might have been abused to reveal the identity of a page's administrator. Businesses can use Facebook Pages to boost brand visibility on the social media network, but the Facebook account that has administrative rights over the page stays private. Sudip Shah, a 19-year-old from Pokhara, Nepal, identified an insecure direct object reference (IDOR) vulnerability in Facebook for Android that may be abused to reveal the identity of the page admin. 

Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied input. The term IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access controls being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur in the context of vertical privilege escalation. 

Consider a website that accesses the customer account page via the URL https://insecure-website.com/customer account?customer number=132355 by retrieving information from the back-end database. In this case, the customer number is directly used as a record index in queries made on the back-end database. If no other restrictions are in place, an attacker can simply change the customer number value, allowing them to examine the records of other customers while avoiding access controls. This is an example of an IDOR vulnerability that results in horizontal privilege escalation. 

Shah noticed that altering the page id in a request containing a vulnerable endpoint resulted in the broadcaster id parameter in the response containing the admin ID while navigating to another page's live video section in Facebook for Android. “It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public,” the researcher says. 

The issue only affected pages with a live video function enabled, although Shah believes that most pages were affected because the feature is present on the majority of them. He further notes that an attacker would have needed a script to automatically modify the page id in the request and capture the broadcaster id in the response for mass exploitation.

The researcher also found a variation of the security flaw in which the attacker might have the admin ID disclosed in the response by including a modified live_video_id in the request. The underlying source of the issue, however, remained the same.

Newly Discovered XSS Flaw in Google Chrome’s ‘New Tab’ Page Evades Security Feature

 

A cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code has been patched by the Chromium team. 

Threat actors can exploit the vulnerability by sending an HTML file to the target that contains a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search query to Google, said Ashish Dhone, cybersecurity researcher at Persistent System who discovered the vulnerability.

If the target opens the file, the CSRF script starts operating and the query is stored in the browser’s search history. When the user opens an NTP for a second time and clicks on the Google search bar, the malicious code is triggered.

The situation worsens, if the user was logged into their Google account when opening the malicious file, the request will be saved to their account’s search history and triggered on any other device where their Google account is logged in. 

“I wanted to find XSS in Chrome, hence my hunting started with the desktop application of Google Chrome. I was looking for HTML markup functionality where XSS can be executed. After spending hours, somehow, I found that in NTP, stored search queries are not sanitized and then I was able to execute [the uXSS],” Ashish stated. 

UXSS attacks abuse client-side flaws in a browser or browser extensions in order to generate an XSS condition and execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” Dhone explained.

While the vulnerability is dangerous, other researchers have pointed out that it is not a uXSS. “This XSS is a classic DOM-based XSS, where user-controlled text is assigned as an HTML using innerHTML,” security researcher Jun Kokatsu explained. 

Chrome’s NTP exposes Mojo.JS bindings that can send inter-process communication (IPC) messages to the browser through JavaScript code. The XSS bug could abuse this IPC channel to exploit a bug in the browser process, which executes at a much higher privilege than code running in web pages. 

“Usually, getting control over sending arbitrary IPC requires native code execution in the renderer process such as memory corruption bugs in the JS engine,” Kokatsu said. “However, because the IPC channel was exposed to JS directly in NTP, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”

GitLab Fixes Several Vulnerabilities Reported by Bug Bounty

 

With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws. 

GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.

In GitLab's GraphQL API, a cross-site request forgery (CSRF) has developed a mechanism for an attacker to call modifications while they are impersonating as their victims. 

Cross-Site Request Forgery (CSRF) is an attack that causes an end-user in a web application to perform undesirable activities wherein he or she is presently authenticated. Users of a web application may be lured towards carrying out activities of an attacker using some social engineering support (such as delivering a link by email or chat). If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account. 

The Gitlab Webhook feature could be exploited for denial- of service (DoS) attacks because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash.

'Afewgoats' researchers have identified DoS vulnerability and reported it through a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification is not yet assigned. The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services. 

"The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. "It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." 

"So far it's been successful against PHP, Ruby, and Java targets," they added. 

Through updating installations to a new version of GitLab, CRSF and DoS issues and a range of minor errors can be rectified. 

As a security advisory from GitLab, the platform upgrade addresses 15 medium severity and two low-impact issues. These add-on vulnerabilities also include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

Indian Hacker Discovers a New Instagram Bug

 

Instagram has addressed a new flaw, which allows everyone to access private profiles without having to follow them and also lets them view archived posts and stories. 

The Facebook group recently rewarded an Indian programmer and Bug Bounty Hunter with Rs 22 lakh to identify the Instagram bug that can permit anybody, without following, to view different posts on a private Instagram account. The issue that the programmer, Mayur Fartade, has just reported on a media post might've been a big privacy violation that leads to target identity fraud and harassment given the hazards posed by it. On April 15, 2021, this flaw was notified to Instagram and now it is patched. 

The flaw might have enabled hackers or those intending to cyber spy – to target particular users' posts and gain access without having to follow their private account, according to Fartade. 

Fartade noted in his post that the high privileges which attackers may have gained would be utilized for looking at elements like “private/archived posts, stories, reels (and) IGTV, details including like/comment/save count, display_url, image. uri, Facebook linked page(if any) and other particulars, without following the user and by using Media ID”. 

The flaw may allow any brute person to force a "Media ID" post which is an ID for any post created on Instagram and then use it to regenerate legitimate links to archived posts and private posts. For this purpose, attackers can use the Instagram GraphQL tool on their developer library, input any targeted post's brute-forced media ID, and execute the tool to gain access to information such as the post link and other related details.

This issue might have revealed numerous sensitive facts and surely breached privacy, as non-followers having access to content on a private account could result in many untoward occurrences including identity theft, challenges, or harassment. 

Facebook in its letter to Fartade thanked him for his report: “After reviewing this issue, we have decided to award you a bounty of $30000. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne. Your report highlighted a scenario that could have allowed a malicious user to view targeted media on Instagram. This scenario would require the attacker to know the specific media ID. We have fixed this issue. Thank you again for your report. We look forward to receiving more reports from you in the future,” the company said. 


GitHub Awards $25,000 Bug Bounty to the Google Employee

 

GitHub awarded $25,000 to the security researcher, Teddy Katz for discovering a bug and patching it. On March 17, bug bounty hunter and Google employee Teddy Katz published a note regarding a GitHub flaw discovered in the communication system between repositories and the organization’s workflow automation software, GitHub actions.

The security flaw was tracked as CVE-2022-22862 and was reported as an improper access control susceptibility that “allowed an authenticated user with the ability to fork a repository to disclose Action secrets for the parent repository of the fork.”

Katz identified the working method of GitHub and how it manages to pull requests. Every single pull request is meant to have a base branch, and this is often the main branch of a repository. Pull request designers can lay the base branch pointer. However, the bug bounty hunter recognized that it was possible to set branches to commits, and while this ended in errors due to merge conflicts, GitHub Actions converted the bug into something more dangerous. 

GitHub executes merge pull request stimulations to stop pull request creators from accessing repository secrets. According to Katz, this “breaks the GitHub actions permission model” and evades Actions secrets restrictions.

“Since the base branch is part of the base repository itself and not part of a fork, workflows triggered by pull_request_target are trusted and run with access to secrets. We just created a pull request where the base branch is a commit hash, not a branch. And anyone can create a new commit hash in the base repository since GitHub shares commits between forks,” Katz explained. 

An attacker could split public repositories that use GitHub Actions, design a pull request, and then set a malicious Actions workflow and separately commit to a fork – gaining access to repository secrets in the process.

“It would be difficult to conceal the malware for long – the malicious package would almost certainly be unpublished in a matter of hours or days depending on how fast the maintainers/npm security team were able to respond. Once it was exploited like this, the underlying GitHub vulnerability would probably have been noticed and fixed as well,” Katz stated.

Security Researchers Received More Than $6.7 MIllion by Google as Bug Bounty Rewards

 

Security experts from 62 nations were paid more than $6.7 million (nearly Rs. 49 crore) by Google for identifying susceptibilities in Google products last year. Google has successfully managed to run the Vulnerability Reward Programs (VRPs) for ten years and the company has paid nearly $28 million to the security experts for spotting the vulnerabilities in Google products.

Google stated this week that “the incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity. Following our increase in exploit payouts in November 2019, we received a record 13 working exploit submissions in 2020, representing over $1 million in exploit reward payouts”.

According to the company, Guang Gong (@oldfresher) and the team of experts at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360 discovered 30% of the total number of Android vulnerabilities as a part of the bug bounty program. The latest vulnerability spotted by this group is a 1-click remote root exploit in Android, Google said this team still hold the record for receiving the highest Android payout ($161,337) for spotting the vulnerability in 2019.

Last year, the tech giant paid $50,000 to the security experts for spotting the flaws in Android developer preview and introduced bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code. In Google Play, Google expanded the standard for certified Android apps to incorporate apps utilizing the Exposure Notification API and executing contact tracing to fight Covid-19. 

Apart from bounty rewards, over 180 security researchers have received more than $400,000 from Google in the form of grants for submitting 200 bug reports that resulted in 100 confirmed susceptibilities in Google products and the open-source ecosystem. The other notable tech firms that have a similar bug bounty reward program are Facebook, OnePlus, Qualcomm, Mozilla, Microsoft, and Reddit.

URL Spoofing: Interview With Bug Bounty Hunter Narendra Bhati


On 24th December, E-Hacking News conducted an interesting interview with Mr. Narendra Bhati, a Bug Bounty Hunter/Ethical Hacker. He was recently awarded a total of $20,500 by Apple Security. Narendra also discovered an Address Bar Spoofing Vulnerability in multiple browsers.
 
Q.1 Can you please start by introducing yourself to our readers? 
My name is Narendra Bhati, I’m a Bug Bounty Hunter and Ethical Hacker. I belong to a small town called Sheoganj in Rajasthan. Currently, I’m working as a lead Pentester in Suma Soft Private Limited for the last 7 years. 

Q.2 How do organizations react when you find a bug and go to them? 
Especially Google, Apple, and Hacker One, I believe that the response time has been better than the last time. Nowadays, everyone is working from their home and they can look into the issues quickly as they do not have to go to the office, which saves time. 

Q.3 On your blog Web Security Geeks, you posted about a banking vulnerability, how did you deal with it. Did you try contacting RBI? 
Last year, I had a few bank accounts and I tested these banking apps and found that these applications were vulnerable to very basic hacking attacks. I tried to contact the bank but as these banks do not have any bug bounty program for security, I contacted their customer support service and after 2-3 months, still, no response came. The customer service couldn’t understand what I was trying to explain. But now, four out of 5 banks have fixed the issue, one still remains. In the case of RBI, I was a bit afraid that if I try contacting RBI, it might come back at me asking why did I attest any application. But in similar cases, I’ve found the same issues with the mutual funds’ apps. 

Q.4 Did these banks respond to you or just silently fixed these issues? 
I sent an email to these banks and tried to contact the higher authority via LinkedIn. I found some senior security team and contacted them. Luckily, they were able to understand me and fix the issue within seven days. So basically, it took around 6 months to close the issue. 

Q.5 Many Indian organizations are not ready for opening the Bug Bounty Program. Why do you think it’s not happening here? 
I spent around 2-3 months and found 30+ bugs. I think why the hunters are not interested in the Indian Bug Bounty Program and why it’s not doing good is because the amount of work that hunters invest in finding a bug is not equal to what they are paid. For example, in a typical scenario, an International Bounty program has a price range of $500-800, whereas in India they offer only $80-100. So, the hunters think “why should I focus on the Indian bug bounty program when they offer such low reward” and the same works for me also. 

Q.6 Please tell us more about the URL Spoofing Vulnerability in the web browser and how does it work? 
The basic idea of URL spoofing is user trust. In URL spoofing, what an attacker can do is, whenever you click a URL, you’ll see that the URL belongs to Google.com but the content is shown from the attacker’s domain, so the attacker can show any desired content using the trusted domain. 
The same problem occurred with the Jio platform; the content was being shown from the attacker’s domain. Meanwhile, the user could attest to this data thinking the content shown from Jio is real but the attacker could violate this or do a phishing attack. I think the URL spoofing impacts banking websites the most, the attacker can use any trusted banking domain in India to create a fake page and the victim will most likely attest to that. 

Q.7 What made you interested in Bug Bounty? 
It all began when I was in 8th class and my father bought a computer worth INR 18,000 which was a lot back then. Also, my cousin Karan Gehlot influenced me a lot and brought my interest in computers. After doing my BCA from a local college, I went to Ahmedabad for an Animations course and enrolled myself. The course was to start after 10 days, and in that time, I came across a cybersecurity workshop ad on Facebook. I struggled a lot with stammering and lacked self-confidence but somehow, I went to that workshop. On the 2nd day, I talked with the organizers of the workshop and asked them that “I want to do a job and get in cybersecurity.” So, I started my journey with that organization as a Head Trainer of the Ethical Hacking course and I was also learning side-by-side, I worked for two years there, and in 2014, I joined Suma Soft. 

Q.8 When you found the vulnerability in Jio Browser, did the company respond? 
I contacted Jio via Twitter and they responded immediately, I shared all the information with them but after 2-3 mails, they stopped responding to me, I don’t know why. Recently, they renamed the browser to ‘Jio Smart Pages’ from Jio Browser and fixed the issue, but they didn’t reply to me back. 

Q.9 Is that the common thing, that the companies don’t respond to but silently fix? If so, why do you think it happens? 
That’s what I’m talking about, the Indian programs, they don’t respond. They’ll sweet talk to you in the beginning but once they receive the required information, you cease to exist for them. The companies have a brand image in the market, and if they disclose any information regarding any issue, it may affect their brand value. 

Q.10 Any advice to our readers on Cybersecurity? 
I give the same advice to all my connections/friends and I’ll give the same to you, don’t stop learning. Whenever you do a Bug Bounty Program, just stick to that, don’t change your timeline, spend a good amount of time in research and you’ll surely have good results.

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!

Can you find a bug in Xbox Live? Microsoft will pay you, if you do!

Think you're an expert at Xbox? Think you can find a bug in Xbox Live? Well, Microsoft might pay you some bucks.

Microsoft has launched an official bug bounty hunt for the Xbox Live network in order to improve the program and services. The bug hunters will be paid up to 20,000 dollars but the payment will depend on the severity of the security issue and the minimum amount will start from 500 dollars.



Microsoft in their bug bounty program is looking for serious security and other vulnerability issues like accessing unauthorized codes and not connection problems. The bounty program covers a wide range of vulnerabilities but with strict restrictions, for example, they will not cover issues such as DDoS issues and URL Redirects and disqualify anyone who tries to phish or social engineer Xbox users and engineers and moves within (laterally inside) Xbox network while searching for bugs.

Usually, security researchers are the ones who gain most from bug bounty programs but Microsoft has announced that anyone can submit bug issues regardless of their background.

 Program manager at the Microsoft Security Response Center (MSRC), Chloé Brown, said in the blog post announcing the bug bounty program, that submissions will need to give proof of concept (POC). “The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”


This is not Microsoft's first bounty program, they have earlier launched similar programs for Microsoft Edge browser, their “Windows Insider” preview builds, Office 365 and many others with rewards up to 15,000 dollars. But their biggest one remains for serious vulnerabilities found in the company's Azure cloud computing service where security researchers can earn up to 300,000 dollars for a super-specific bug.