Yahoo using 'admin' as username and password, leads to RCE


Behrouz Sadeghipour, a bug bounty hunter, has found a critical vulnerability in one of the subdomain of Yahoo(hk.yahoo.net) that allowed him to access admin panel.

It is funny to know that the hk.yahoo.net is using 'admin' as username and password for its panel.

After gaining access to the admin panel, he managed to upload his backdoor shell to the server.  Using the shell, he was able to delete or create any file or run any commands on the server.

He was also able to control few other subdomains of Yahoo.  After getting notification from the researcher, Yahoo has patched the security hole.  Researcher is still waiting for his bounty. 

In addition to this bug, he also found another vulnerability 'Directory Traveral attack' on health.yahoo.com that allowed him to read the contents of '/etc/passwd' files on the server. 

Bug Bounty Programs: Github now offers $100 to $5000 for security vulnerability

Github is the latest organization to join the list of organizations offering Bounty to security researchers who find and report vulnerabilities.

Github has previously listed the name of those who report vulnerabilities in the 'Hall of fame' page, now offers bounty amount starting from $100 to $5,000. 

The exact bounty amount for each vulnerability is determined by GitHub based on actual risk and potential impact to their users.

Let us say, you find a non-persistent XSS vulnerability which only work in Opera browser(affects only 2% of its users) will get small bounty.  If you managed to find a Persistent(stored) XSS that will work in Chrome(affects 60% of its users), it will earn you larger reward. 

The bounty program currently covers the GitHub API, GitHub Gist and GitHub.com.  GitHub says its other applications are not part of the open bounty, but researchers may receive a bounty at its discretion.

So far, two researchers have received 1000 points for reporting 'Broken Authentication or Session Management' and 'Missing Function Level Access Control'

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.

Researcher gets $33,500 for Remote Code Execution Vulnerability in Facebook


Here comes a critical bug discovered in Facebook and biggest bounty ever paid by Facebook for reporting vulnerability in their website.

Reginaldo Silva, A Brazilian Hacker, has discovered a highly critical Remote Code Execution(RCE) vulnerability in the Facebook which could allowed attackers to read any files from the server.  It could also allowed attackers to run malicious code in the server.

In September 2012, he first discovered XML External Entity Expansion bug in the Drupal that handled OpenID.  OpenID is an open technology that allows users to authenticate to websites without having to create a new password.

He found similar bug affecting the Google's App Engine and Blogger.  However, it is not critical as he wasn't able to access the arbitrary file or open network connections, he received $500 reward from Google.

He found out plenty of other websites implementing OpenID are vulnerable to RCE. 

Recently, Silva learned that "facebook forgot password" page is also using OpenID provider to verify the identity of the user.  He managed to discover the XXE bug in Facebook that allowed him to read the "etc/passwd" file from the server.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed." Silva wrote in his blog.

He thought it will take time to fix the bug.  However, the facebook security team responded quickly and fixed issue within 3.5 hours.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers." silva said.

He has been rewarded with a bounty of $33,500.

Hacking Challenge : Hack Tresorit and get $25,000 Bounty

 

Hungarian developers Istvan Lam and Szilveszter Szebeni are offering $25,000 Bounty to any White hat hackers who can hack the layers of defenses protecting their startup "Tresorit" , VentureBeat reports.

Tresorit is intended to offer a truly secure cloud storage service where user's files, passwords, encryption keys never stored in unencrypted form - being referred as high-security alternative to DropBox.

"Files and some corresponding encryption keys can only be decrypted by the people you have explicitly shared with."

The site offers client-side encryption in which the encryption of files is performed before getting into the cloud.  The AES-256 standard is used for encrypting the files.

"All of our data centers employ physical security measures against intrusion, and are equipped with uninterruptible power and backup systems."

Hacker who exploits Windows 8.1 will get $100,000


Microsoft finally launched a security bug Bounty Programs, is now willing to pay researchers for reporting certain type of vulnerabilities and exploitation techniques, according to official blog post.

Security researcher who is able to bypass the upcoming Windows 8.1 preview version will get up to $100K USD

Researcher who give "Defensive ideas that accompany a qualifying Mitigation Bypass submission" will get $50K USD.

Apart from the two Bounties, Microsoft also offers $11K USD "for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview"

Anyone who is willing to participate in the Microsoft’s Mitigation Bypass Bounty, you can register for BlackHat conference.  Researcher who successfully bypass the Windows 8.1 in the target laptop will get the reward.

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

Paypal running out of Money in its Bug Bounty budget

It seems like Paypal is running out of Money in its Bug Bounty budget.  Bug Hunters started to report that the Paypal stopped to give Bounties. 

Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.

But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."


XSS vulnerability in Paypal-marketing
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php.  POCs for these vulnerabilities can be found here.

Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.

*Update*:
 Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:

Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.


Sites to be decommissioned in coming months:
  • paypal-deutschland.de
  • paypal-danmark.dk
  • paypal-promo.es
  • paypal-europe.com
  • paypal-france.fr
  • paypal-nederland.nl
  • paypal-norge.no
  • paypal-marketing.pl
  • paypal-sverige.se
  • paypal-turkiye.com
  • paypal-business.co.uk
  • paypal-marketing.co.uk
  • paypal-shopping.co.uk
  • paypal-australia.com.au
  • paypal-biz.com
  • paypal-business.com.hk
  • paypal-marketing.com.hk
  • paypal-offers.com.hk
  • paypal-shopasia.com
  • paypal-japan.com
  • paypal-apac.com
  • paypal-plaza.com
  • thepaypalblog.com
  • www.paypal-brasil.com.br
  • paypal-marketing.ca

Blind SQL Injection vulnerability in PayPal Notifications website



An Indian Security Researcher Prakhar Prasad has discovered a Blind SQL Injection vulnerability in Paypal Notifications website(paypal-notify.com) that allowed researcher to access database of Paypal notification system.

" As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team " The researcher said in his blog.


SQLMap displays the Database name after injection


The PayPal security team patched the vulnerability immediately, just the next day after the Prasad's vulnerability report due to its high severity.

The Paypal security team patched the vulnerability and rewarded the researcher with $3000 for the SQLi and additional $350 for other less critical bugs on 21st January.

Avast Introduces Avast Bug Bounty Program


It seems like the security company Avast is attracted by the Bug Bounty Programs. Today, Avast officially announced the Bug Bounty program.

Bug Bounty program is the place where Security researchers love to find vulnerabilities in target website or Software and get rewarded for their findings.

"As a security company, we very much realize that security bugs in software are reality." The official blog post reads ." But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful [than] those that don’t. "

Avast claims that their firm is the first Security vendor  with a reward program.

The company is only interested in the following types of bugs :Remote code execution, Local privilege escalation , Denial-of-service (DoS), Escapes from the avast! Sandbox(via bugs in code), Other bugs with serious security implications.

The base payment is $200 per bug. Depending on the criticality of the bug , the bounty will go much higher. Remote code execution bugs will pay at least $3,000 – $5,000 or more.

Facebook vulnerability allowed hackers to record video of user and post in his wall


A Cross Site Request Forgery(CSRF) vulnerability in Facebook allowed hackers to record video of target users and post in the victim's wall. The vulnerability was discovered by security researchers Aditya Gupta and Subho Halder, from XYSEC Team .

A malicious hacker could record trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.

In a youtube video, researcher demonstrate how an attacker could exploit this vulnerability in a Youtube video.

Four months after researcher notified facebook about the security flaw, facebook finally emailed them that their finding is eligible to receive a bug bounty of $2500, that will come as a Facebook WhiteHat Debit Card.

PoC:

List of Bug Bounty program for PenTesters and Ethical Hackers


"The Best way to improve Network security is hiring hackers" Unfortunately, companies can't hire all best hackers.  So the companies has chosen another best way to improve their system security, "Bug Bounty Programs".

Bug Bounty program is the place where Security researchers and Ethical hackers love to find vulnerabilities in target website or app and get rewarded for their findings.

Here is the list of Bug bounty programs that offers reward for security researchers who find vulnerabilities.

Google:
If you find vulnerability in google , you will get reward as well as your name will be listed in the Google Hall of fame page.

Details about Vulnerability Reward Program: http://www.google.com/about/appsecurity/reward-program/

Hall of fame: http://www.google.com/about/appsecurity/hall-of-fame/

The following table outlines the usual rewards for the anticipated classes of bugs:
Vulnerability type accounts.google.com Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI and other common web flaws $500 - $3,133.7
(depending on impact)
$500 - $1,337
(depending on impact)
$500 $100


Security Bug Bounty from facebook:
Minimum reward is $500 USD.
The reward will be increased for severe or creative bugs
Only 1 bounty per security bug will be awarded

https://www.facebook.com/whitehat/bounty

Mozilla Bug Bounty program:


The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.

The bounty for valid web applications or services related security bugs, the are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. they will also include a Mozilla T-shirt.

http://www.mozilla.org/security/bug-bounty.html

Paypal Bug Bounty Program For Professional Researchers

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP – a reward program incentive offered by Secunia to researchers who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf: http://secunia.com/community/research/svcrp/

Etsy :
Will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team.

http://codeascraft.etsy.com/2012/09/11/announcing-the-etsy-security-bug-bounty-program/

Barracuda Networks
www.barracudalabs.com/bugbounty

Companies that mentions researcher name in the site but won't give bounties.

Adobe Systems Incorporated:
Details :http://www.adobe.com/support/security/alertus.html
Security Acknowledgments : http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

Twitter:

https://twitter.com/about/security

EBay:
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html

Microsoft
http://technet.microsoft.com/en-us/security/ff852094.aspx
http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx

Apple
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/

Dropbox
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks

Reddit
http://code.reddit.com/wiki/help/whitehat

Github
https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities

Ifixit
http://www.ifixit.com/Info/responsible_disclosure

37 Signals
http://37signals.com/security-response

Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass
https://lastpass.com/support_security.php

RedHat
https://access.redhat.com/knowledge/articles/66234

Acquia
https://www.acquia.com/how-report-security-issue

Zynga
http://company.zynga.com/security/whitehats

Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame

Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame

soundcloud:
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

Nokia Siemens Networks
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure


Yandex Bug Bounty:

http://company.yandex.com/security/hall-of-fame.xml