Search This Blog

Showing posts with label Bug Bounty. Show all posts

URL Spoofing: Interview With Bug Bounty Hunter Narendra Bhati


On 24th December, E-Hacking News conducted an interesting interview with Mr. Narendra Bhati, a Bug Bounty Hunter/Ethical Hacker. He was recently awarded a total of $20,500 by Apple Security. Narendra also discovered an Address Bar Spoofing Vulnerability in multiple browsers.
 
Q.1 Can you please start by introducing yourself to our readers? 
My name is Narendra Bhati, I’m a Bug Bounty Hunter and Ethical Hacker. I belong to a small town called Sheoganj in Rajasthan. Currently, I’m working as a lead Pentester in Suma Soft Private Limited for the last 7 years. 

Q.2 How do organizations react when you find a bug and go to them? 
Especially Google, Apple, and Hacker One, I believe that the response time has been better than the last time. Nowadays, everyone is working from their home and they can look into the issues quickly as they do not have to go to the office, which saves time. 

Q.3 On your blog Web Security Geeks, you posted about a banking vulnerability, how did you deal with it. Did you try contacting RBI? 
Last year, I had a few bank accounts and I tested these banking apps and found that these applications were vulnerable to very basic hacking attacks. I tried to contact the bank but as these banks do not have any bug bounty program for security, I contacted their customer support service and after 2-3 months, still, no response came. The customer service couldn’t understand what I was trying to explain. But now, four out of 5 banks have fixed the issue, one still remains. In the case of RBI, I was a bit afraid that if I try contacting RBI, it might come back at me asking why did I attest any application. But in similar cases, I’ve found the same issues with the mutual funds’ apps. 

Q.4 Did these banks respond to you or just silently fixed these issues? 
I sent an email to these banks and tried to contact the higher authority via LinkedIn. I found some senior security team and contacted them. Luckily, they were able to understand me and fix the issue within seven days. So basically, it took around 6 months to close the issue. 

Q.5 Many Indian organizations are not ready for opening the Bug Bounty Program. Why do you think it’s not happening here? 
I spent around 2-3 months and found 30+ bugs. I think why the hunters are not interested in the Indian Bug Bounty Program and why it’s not doing good is because the amount of work that hunters invest in finding a bug is not equal to what they are paid. For example, in a typical scenario, an International Bounty program has a price range of $500-800, whereas in India they offer only $80-100. So, the hunters think “why should I focus on the Indian bug bounty program when they offer such low reward” and the same works for me also. 

Q.6 Please tell us more about the URL Spoofing Vulnerability in the web browser and how does it work? 
The basic idea of URL spoofing is user trust. In URL spoofing, what an attacker can do is, whenever you click a URL, you’ll see that the URL belongs to Google.com but the content is shown from the attacker’s domain, so the attacker can show any desired content using the trusted domain. 
The same problem occurred with the Jio platform; the content was being shown from the attacker’s domain. Meanwhile, the user could attest to this data thinking the content shown from Jio is real but the attacker could violate this or do a phishing attack. I think the URL spoofing impacts banking websites the most, the attacker can use any trusted banking domain in India to create a fake page and the victim will most likely attest to that. 

Q.7 What made you interested in Bug Bounty? 
It all began when I was in 8th class and my father bought a computer worth INR 18,000 which was a lot back then. Also, my cousin Karan Gehlot influenced me a lot and brought my interest in computers. After doing my BCA from a local college, I went to Ahmedabad for an Animations course and enrolled myself. The course was to start after 10 days, and in that time, I came across a cybersecurity workshop ad on Facebook. I struggled a lot with stammering and lacked self-confidence but somehow, I went to that workshop. On the 2nd day, I talked with the organizers of the workshop and asked them that “I want to do a job and get in cybersecurity.” So, I started my journey with that organization as a Head Trainer of the Ethical Hacking course and I was also learning side-by-side, I worked for two years there, and in 2014, I joined Suma Soft. 

Q.8 When you found the vulnerability in Jio Browser, did the company respond? 
I contacted Jio via Twitter and they responded immediately, I shared all the information with them but after 2-3 mails, they stopped responding to me, I don’t know why. Recently, they renamed the browser to ‘Jio Smart Pages’ from Jio Browser and fixed the issue, but they didn’t reply to me back. 

Q.9 Is that the common thing, that the companies don’t respond to but silently fix? If so, why do you think it happens? 
That’s what I’m talking about, the Indian programs, they don’t respond. They’ll sweet talk to you in the beginning but once they receive the required information, you cease to exist for them. The companies have a brand image in the market, and if they disclose any information regarding any issue, it may affect their brand value. 

Q.10 Any advice to our readers on Cybersecurity? 
I give the same advice to all my connections/friends and I’ll give the same to you, don’t stop learning. Whenever you do a Bug Bounty Program, just stick to that, don’t change your timeline, spend a good amount of time in research and you’ll surely have good results.

Hacker Spotlight: Interview with 'Cyberboy', Bug Bounty Hunter who Won $3000

A few days ago Indian bug bounty hunter, Shashank aka Cyberboy came up with a creative hack that led him from multiple errors to Django admin takeover. The bug was about a private target he had been hunting for a while, he passed all the subdomains to FFUF, the most recent and fastest fuzzing open-source tool written in GoLang. The tool is used to brute force directories and files. You can read about the bug in detail in his blog post. I was impressed by the determination and creativity required to discover this exploit; being curious as I was, I decided to interview the innovative mind behind the process involved in discovering this hack and I'm sharing his answers with you all!


1) Hello Shashank, can you briefly introduce yourself to EHackingNews readers? 

Hi, I am Shashank. I am a security analyst at HackerOne, team lead at Cobalt (part-time), and a bug bounty hunter. I started bug bounties when I was 15 years old. I still do it in my free time after my regular job and part-time jobs. This all started in 2012-2013 when I heard that companies like Facebook and google pay hackers for finding a valid security issue on their website. I have been rewarded/recognized by Facebook, google, apple, Microsoft, PayPal, and 100+ top companies for reporting a valid security issue. 
 
2) A few days back, I read your blog post on the Django admin takeover and I was impressed by your persistence despite multiple errors you encountered, can you please share how did the final idea that led to the discovery of this exploit occur to you? 

Going back to my first bounty from google. It took me four months to find my first bug back in 2013. And I concluded that I need persistence in this field. 
 
The vulnerable endpoint where I found the bug. I had that endpoint in my suspicion notes from a week. After a week, when I managed to bypass the 500 error to access the endpoint, I started reviewing all API endpoints. Then I chained all the bugs to make the final exploit. I have tested countless APIs. With the experience of common patterns I see in all APIs, and I was able to construct the right API call to execute the privilege escalation. 
 
3) How did you discover hacking? Anything you can recall from your initial days as a bug bounty hunter? 

Yes, and I can never forget that incident because that changed my life forever. I studied at Sainik School. It was a boarding school. During my summer vacation, I was using Orkut, and I used to chat with one of my seniors. You know, way back then, social media was gaining popularity, and Orkut was a new thing. I used to chat with my senior every day after dinner. One day he was not online, and later, he informed me that his account was hacked. I was amazed at how this is even possible. So we together started digging and looking for clues about how it could have happened. After weeks of searching, we realized that his account was phished. 

After that, I wanted to learn it as well. Since I had zero programming experience, I had to spend months learning to phish. Later next year, while I was in school, I read in the library that hackers hack websites as well. After class 10th, I dropped out of Sainik school to pursue my career in IT and went to Delhi for JEE preparations. There I had my own computer, so I taught myself web hacking. I heard about the bug-bounty program during those days, and after my first bounty, I never stopped. Even today, in my free time. I love to participate in bug bounty programs. 
   
4) What was the most exciting bug you ever discovered? 

My most exciting bug was in blockchain.com. I have always been a crypto enthusiast. I believe that blockchain will be the next big thing. Blockchain.com is an online bitcoin wallet that I use. I found a bug that allowed me to steal anyone’s bitcoin wallet backup file. This could be exploited to steal money from the user’s account with a single click. 

Besides, I found a bug in Apple iOS in 2017, which allowed me to permanently crash an iOS user’s WhatsApp by sharing a contact. 
 
5) What motivates you to hunt exploits? 

Finding security issues in big and popular platforms is challenging and thrilling. It gives me immense happiness when I am able to chain all pieces of information and small bugs to make it a bigger exploit. Apart from that, we can get financial rewards, swags, and recognition for every valid submission, which adds motivation to do it again and again. 
  
6) How did you feel about the response from the affected organizations? 

Honestly, I stick with programs that appreciate hackers and are responsive irrespective of how much they pay. If I notice a program is not very responsive. I tend to move to other targets. 
 
7) How do you see the bug bounty space evolving over 5 years? 

Bug bounty has already boomed in 8 years. When I started, there were a few companies that had a bug-bounty program. Now it is almost countless. Millions have been paid out to hackers, and in the next five years, I am sure we will see more companies starting bug bounties. Even a government project like arogya setu has started bug-bounty programs. We are going to see more in the coming future. More companies and better rewards. 
  
8) What would you advise to the upcoming bounty hunters, any reading recommendations? 

I strongly believe in 2 things. One is reading, and the other is persistence. Even today, after eight years, I still read writeups of bugs published by other hackers on a daily basis. Software upgrades their security each day, and as a hacker, we need to be ahead and more creative to remain in the game. In this field of ethical hacking and bug-bounty, the day you stop learning is the end of the career. 

Apart from that hacking requires patience and persistence. It is not easy to find a bug when so many people are looking into the same application. It's all about never giving up and keep looking for bugs until you find one. This has always worked for me. 
  
9) What are your thoughts about E Hacking News? 

I know about E hacking news from the time I got into security. It is one of the few blogs that started long back when ethical hacking and bug bounties were not very popular. I would like to thank the people behind every such blog who are trying to make this world understand that hacking is not a criminal activity. It is a profession now.

Thank you very much for your time Cyberboy, Goodluck hunting in the future!

Can you find a bug in Xbox Live? Microsoft will pay you, if you do!

Think you're an expert at Xbox? Think you can find a bug in Xbox Live? Well, Microsoft might pay you some bucks.

Microsoft has launched an official bug bounty hunt for the Xbox Live network in order to improve the program and services. The bug hunters will be paid up to 20,000 dollars but the payment will depend on the severity of the security issue and the minimum amount will start from 500 dollars.



Microsoft in their bug bounty program is looking for serious security and other vulnerability issues like accessing unauthorized codes and not connection problems. The bounty program covers a wide range of vulnerabilities but with strict restrictions, for example, they will not cover issues such as DDoS issues and URL Redirects and disqualify anyone who tries to phish or social engineer Xbox users and engineers and moves within (laterally inside) Xbox network while searching for bugs.

Usually, security researchers are the ones who gain most from bug bounty programs but Microsoft has announced that anyone can submit bug issues regardless of their background.

 Program manager at the Microsoft Security Response Center (MSRC), Chloé Brown, said in the blog post announcing the bug bounty program, that submissions will need to give proof of concept (POC). “The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”


This is not Microsoft's first bounty program, they have earlier launched similar programs for Microsoft Edge browser, their “Windows Insider” preview builds, Office 365 and many others with rewards up to 15,000 dollars. But their biggest one remains for serious vulnerabilities found in the company's Azure cloud computing service where security researchers can earn up to 300,000 dollars for a super-specific bug.