Bug Bytes #61 – Facebook Account Takeover, @thedawgyg’s Darknet Diaries and Bug Bounty Millionaire @inhibitor181
By Intigriti
March 10, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 28 of February to 06 of March.
Intigriti news
We stat down with hackfluencer and creator @stokfredrik and discussed his creator journey, live hacking, collaboration and his experience doing full time #bugbounty hunting. Read the full interview here:
Bug Business #2 – Hacking, traveling and vlogging with @STÖK
Our favorite 5 hacking items
1. Tools of the week
– FUSE & FUSE: Finding File Upload Bugs via Penetration Testing
– Pulsar
Pulsar is described as a Network footprint scanner platform. I didn’t get to test it yet, but it looks promising. It is a wrapper around many recon tools, automates many recon features like subdomain enumeration, cloud resources discovery and basic vulnerability scanning. You can run custom checks periodically, and results are presented in a very cool dashboard.
FUSE and its accompanying research paper are also worth checking out. It helped discover 30 file upload vulnerabilities in 23 Web apps!
2. Writeup of the week
Facebook OAuth Framework Vulnerability ($55,000)
@AmolBaikar challenged himself to find a vulnerability in Facebook’s “Login with Facebook” feature. And boy, did he deliver! He found a postMessage flaw that could allow anyone to steal user access tokens for vulnerable apps using Facebook’s OAuth flow.
The bounty is of course impressive. But there is also the fact that this bug has been there for years (maybe up to 10!), on one of the most hardened targets.
3. Podcast of the week
@thedawgyg made several appearances in the media recently. But I’ve never heard his full story before. Who better than Darknet Diaries to recap his adventures from chat rooms, black hat days, to prison then full-time bug hunting. Brace yourself for interesting hacker tales!
4. Non technical item of the week
Writing is a skill every one of us needs to be working on. Being able to convey ideas in a professional, concise and clear way can make all the difference in the world when you are writing blog posts or bug bounty/pentest reports. I would even argue that writing is the biggest hurdle most hackers face, especially those of us who are not native English speakers.
This course is a fantastic resource for improving technical writing skills. It is the same one Google engineers take! I am definitely going to dedicate time for this.
5. Video of the week
Going from a Full-Stack Developer to $1M Hacker: @inhibitor181 Talks About Recon, Hacking and More!
Yep, another interview! This week’s hacking motivation comes from @inhibitor181. @NahamSec asks him a bunch of interesting questions like how he got started, how he went from informative bugs to earning his living with full-time bug hunting, dealing with imposter syndrome, etc. Lots of fun, as always!
Other amazing things we stumbled upon this week
Videos
Podcasts
Layer 8 Podcast Episode 14: Dutch_OSINTGuy – Spot the Jihadi
Security Weekly News #15 – Tesla, Crypto AG, Shark Tank, COVID-19
Application Security Weekly #98 – Ghostcat, Apache, Networks, Starliner
Webinars & Webcasts
Mobile Application Static Analysis (Free registration required)
Conferences
Slides & Workshop material
Entomology 101 – An introduction to studying, collecting and finding bugs…
Offensive Python for Pentesting & Python for Pentesters Scripts
BSidesSF 2020, especially:
Tutorials
Medium to advanced
Beginners corner
Writeups
Pentest writeups
Responsible(ish) disclosure writeups
Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains #Web
qdPM v9.1 Authenticated RCE Exploit #Web #FileUpload
CVE-2020-2555: RCE Through a Deserialization Bug in Oracle’s WebLogic Server #RCE #Deserialization
Authentication bypass by supplying a regex as a session token in parse-server #Web
Bug bounty writeups
“Bounties paid in the last 90 days” discloses the undisclosed bounty amount in program statistics (Hackerone, $500)
Delete All Data of Any User (Nextcloud, $250)
Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision !
Tools
Reports: Templating script @Rhynorater uses to generate bug bounty reports
Cnames: Take a list of resolved subdomains and output any corresponding CNAMES en masse
h2i: Converts a hostname (or URI) to IP address using your local resolver
Fufluns: Easy to use APK/IPA Mobile App Inspector (experimental)
ArchiveFuzz: Hunt down the secrets from the WebArchives for Fun and Profit
Common Password Permutations: A script to produce a word list based on mangling a single word for password-guessing tests
Common-substr: Go script to extract the most common substrings from an input text. Built for password cracking
As3nt: Another Subdomain ENumeration Tool
AutomatedHunter: Google Chrome Extension that automates testing GET parameters for LFI, RFI, SQLi and Open redirect
PowerExfil: A collection of data exfiltration scripts for Red Team assessments
Abaddon: Wavestone’s red team operations management software
Misc. pentest & bug bounty resources
2019 Gravitational Security Audit Results #PentestReports
Articles
News
Bug bounty & Pentest news
DoD VDP Annual Report 2019 (Geo-blocking used. If not accessible, use a VPN or proxy)
Introducing Joinable Programs: Expanding the Pathway to Program Eligibility
BSides Cairo: The security conference that’s building information sharing from the ground up
Reports
DMARC email authentication: Increased adoption obscures poor enforcement problem
Akamai 2020 State of the Internet / Security: Financial Services – Hostile Takeover Attempts
Vulnerabilities
Android security: Google patches a dangerous flaw in these phones
Solar panels expose home WiFi networks to password theft, remote attacks
Zoho Fixes No-Auth RCE Zero-Day in ManageEngine Desktop Central
Zero-Day Bug Allowed Attackers to Register Malicious Domains
Breaches & Attacks
Hackers are actively exploiting zero-days in several WordPress plugins
Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
Clearview
A not so Clearview?: Lack of authentication in API silently fixed
Apple has blocked Clearview AI’s iPhone app for violating its rules
Other news
Microsoft, Google Offer Free Remote Work Tools Due to Coronavirus
Let’s Encrypt scrambles to manage fallout from digital certificate system bug
Have I Been S0ld? No, trusted security website HIBP off the table, will remain independent
Chinese security firm says CIA hacked Chinese targets for the past 11 years
Non technical
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/28/2020 to 03/06/2020.
Curated by Pentester Land & Sponsored by Intigriti
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023