Undetected e.02 recap: Fredrik N. Almroth – Bug Bounties – 10 minute mail

Bug bounties – some argue that this is one of the buzzwords of the decade in the cybersecurity industry. Whatever you want to label it, it’s a trend that we can’t ignore these days. A lot of companies are taking part in it, so what’s it all about? 

There were many valuable soundbites to take from this, and especially from podcast guest, Fredrik N. Almroth (@almroot) because he’s hacked all the tech giants and more. If you can name it, he’s probably hacked it. We’ve taken highlights from this bug bounties episode, and the dialogue has been edited for brevity. Let’s dive in:

Disposable mail Co-founder and security researcher Fredrik Nordberg Almroth

Image: Fredrik Nordberg Almorth, Disposable mail co-founder and world-class bug bounty hunter

Undetected – a web security podcast is a Disposable mail production that uncovers different depths of web security. You can listen to the full length of Episode 2 on SimpleCast or your preferred podcast platform. The video version is also available online.

Fredrik and his take on the evolution of web security

Fredrik: Well, I’m a security researcher and co-founder of Disposable mail and… I hunt for bug bounties, which kind of correlates to how we do things in Disposable mail. I started already in high school … when I met my fellow co-founders of Disposable mail. By that point we realized that, well the Internet is quite broken. This was back in 2006 when we first met and by 2008, we decided to start a consultancy business doing penetration testing. But one thing led to another and we started automating things and this idea kind of grew. So we all went to university and dropped out one after another. And by this point, some ideas started to stick, like crawling is pretty good to find your URLs on the website and if you have query parameters in URLs then you can start looking for SQL injection.

Then Cloud started becoming a buzzword around here in Sweden. So we figured why not make a new company doing something else.

Laura: We have taken quite huge strides when it comes to security in these past few years as well. How do you feel that automation, for example, played into this?

Fredrik: You can say that some vulnerabilities come and go, SQL injection was a lot more out there a couple of years ago, but now it’s mostly been abstracted that way by different frameworks and so forth. But at the same time, you now have like server-side template actions, and it’s basically the same kind of injection attack state. 

They come and go, but in different forms over the years. Now there’s more out on the internet, more services, more technologies in general. There are more things, hence more things can break, but at the same time, the vulnerabilities that exist back then, are not as common nowadays except for XSS.

Laura: It (web security) really evolved and the hacks in general. The Tesla hack you did was a cross-site scripting attack. Right?

Tesla DOOM DOM XSS

Fredrik: Tesla was running Drupal at the time, and Drupal was bundled with a “what-you-see-is-what-you-get” kind of editor called CK editor, and this library bundles with an example file. So using this example file you could do a drag-and-drop XSS where you can drag something that looks okay on one website onto some other place, and it executed in Tesla’s origin… And then you have cross-site scripting – Tesla DOM DOOM XSS. So what I demonstrated was you could play Doom on Tesla’s website, and I replaced the entire window with the game Doom.

Laura: That sounds like fun. Couldn’t play Doom anywhere else?

Fredrik: Yes, it’s, well I packed away this payload because it was fun. So I use it every now and again in various cross-site scripting demonstrations.

Getting read access on Google

Laura: Also a bigger vulnerability that you found previously was back in 2014 when you found an XXE vulnerability in Google. Basically you were able to run your own code on Google’s server. 

Fredrik: While the company wasn’t low on cash yet, Mathias Karlsson (a co-founder) and I figured that bug bounty actually works as a way to collect some money. So what’s the most bang for the buck? What companies are out there that we can hack and get the most money for the least amount of effort? Facebook or Google.  

Well, Facebook is not very fun to target, so we went for Google. Our approach was: we should find the newest features and products or go for the really old legacy stuff that they might’ve forgotten. So using Google search itself, we found a feature that dated earlier than 2008 called the Google toolbar button gallery. So if you remember this way back in the Internet Explorer, you had this toolbar from Google and companies could upload their own buttons to this toolbar and that was the feature we attacked. This was an XML file uploaded to Google.

You as a website owner could add your own button to the toolbar so that other users could find you. This button definition was an XML file and quite frankly, you can do a lot of weird things in a plain vanilla XML file, and an external entity is one of those.

Fredrik: We uploaded a file and gave it some name and description, etc, but we added a definition that instructed Google to try to read another file from their local file system. So we tried to pull the normal user file on Unix systems and uploaded it and it worked. But we asked, “Okay, did anything actually happen?” 

We made another attempt where we changed the title to something like “hello world”, and then searched on Google or for toolbar buttons containing “hello world.” … meaning we searched for what we just uploaded.

Laura: That’s kind of like local file inclusion.

Fredrik: Yeah, that’s basically the impact. We got read access on Google.com. This was quite fun. So from start to stop, it took us four hours to identify, exploit and have it reported.

Start of bug bounty career:

Laura: Were these all bug bounty programs or were they public programs that you enrolled in or how did you stumble across these?

Fredrik: This was about the time that we actually founded Disposable mail and bug bounty started becoming something you spoke about on Twitter. So Google, in my world, was the first company I saw that had this kind of policy, meaning anyone can hack Google. If they manage to do it and Google accepts it as a new unique vulnerability, you get money for it and afterward, you can speak about it. As an early-stage startup, this was nice to have some material to be seen and heard.

Laura: How did people react to your work on bug bounties back then?

Fredrik: It varied. People in Silicon Valley know about this as that’s kind of where this entire industry started. But over here in Sweden, it was unheard of that this was even a possibility. For example, a friend’s friend of mine happens to work for the Swedish Police and I told him about the Dropbox hacking event which I attended in Singapore, and his response was, “What? You can’t do that? That’s criminal.” I said, “No, no, no, you missed the point.” I had to elaborate a bit on what bug bounty is and so forth.

Laura: In our bubble of Infosec, everyone knows what a bug bounty is or what responsible disclosure is, but outside of this immediate bubble, it is not that obvious. What is your short description of bug bounties?

Fredrik: Bug bounty is freelance penetration testing in a way. Anyone on the Internet can go to a company, find a vulnerability and have a streamlined process of reporting it to the company. If it’s a unique vulnerability and you are the first one to submit it, then you get a monetary reward at the end. Now we have platforms and marketplaces to facilitate this among vendors and researchers such as Bugcrowd, HackerOne and Synack.

Laura: Yes and bug bounties are offering a [monetary] reward in exchange for the vulnerability report or swag.

Responsible Disclosure Policy – that’s all it takes:

Laura: These bug bounties have basically lifted hackers out of the darkness, and now hackers can actually talk about what they have found. They can disclose it, depending on the program. It’s also shedding a more positive light on hackers.

Fredrik: Indeed. But I think it’s quite important to speak a bit about Responsible Disclosure programs as well, since it’s basically the first stepping stone to do something like this. It could be as simple as having an email address or a contact form where someone can submit vulnerability information. That’s all it takes.

More often than not, you (an ethical hacker) know it yourself that there are vulnerabilities all over the place, but it can be quite tricky to report it.

And you (application owner), you don’t always have to offer swag or money. You just have a channel to accept it.

Laura: A common practice out there is putting a security.txt file in your domain so that people find the contact information of your security personnel there for reporting.

Is this the minimum thing that a company should do in terms of Responsible Disclosure?

Fredrik: Security.txt is a very good starting point. With that, you can set up a [email protected] email (to receive reports).

Laura: So you don’t need to go on a commercial bug bounty platform and open a program there?

Fredrik: No, I think that should come a bit later once you have matured your security processes, so you know what you get basically. It can be quite overwhelming if you go directly to one of these platforms, open a bug bounty publicly to the world because everyone will start reporting straight away.

Laura: Do you think that a company who enlists in a public program will get a ton of reports right from the get-go?

Fredrik: More in the beginning, and then it should probably slow down.

Laura: Would it make sense then to do some kind of security assessment before that?

Fredrik: Yes. I think you should only start with a Responsible Disclosure Policy. 

Once you’ve had your pentest reports, some automated scanning and an organization that can handle the security reports, then you should consider a Responsible Disclosure Policy or a private bug bounty program. After that, you could make it public.

Laura: Do you feel that offering a bug bounty program is appropriate for all sorts of companies out there?

Fredrik: Yes, I think so as long as you have some kind of online presence. But it has to be something technical. It’s quite hard to have a bug bounty otherwise. Even manufacturers of hardware, for example, are growing with IoT applications. These could open up as bug bounty programs.

Laura: Yeah. I’m just trying to think of something that wouldn’t have an online presence these days.

Fredrik: But Everything has, right?

Laura: Yeah. Everything has at least a company website, if nothing else.

Fredrik: Exactly. You always have something important to your business and you can probably make a bounty program around that. Ask yourself what you are trying to protect. Say you are Dropbox. The most sensitive things would be your users and their files, right? If you’re Apple, well, it’s basically everything, that’s a bad example I guess. For a bank, it’s probably the money.

So then it doesn’t really matter if it’s only one domain. That’s the scope for your program. You should really try to think about this, “what am I trying to protect?” and make a policy thereafter.

Setting the scope of your disclosure program:

Laura: You mentioned “Scope”, and the scope in a bug bounty program is defined by the company and it can be a domain or source code or some device.

Fredrik: Yes, it’s usually along those lines. It’s one or several domain names that can be mobile apps, GitHub repositories, etc. If it’s a hardware manufacturer, it could be their devices to sell to consumers. There are a lot of blockchain companies that would be attacking the blockchain technology itself.

Laura: What is the best scope for you as a bug hunter?

Fredrik: For me privately, the bigger scopes the better. Being a security researcher, you have a bit of an arbitrage. The more things that are exposed and that you can audit, the more things will break, as simple as that. The bigger the company, the easier it is in my opinion, and that’s because a bigger scope means more critical vulnerabilities and that’s more business impact. So it will help you as a company even more.

Laura: So what happens if you go outside of a scope in a bug bounty program?

Fredrik: That really depends on the organization. What really matters in a bug bounty program is the business impact that an outsider can have. So unless something is explicitly out of scope, it could be fine to report a vulnerability if it has a proven impact.

That’s my take on it. Although that could also be considered scope creeping if you do this.

Laura: What is scope creeping?

Fredrik: You go a bit out of scope and in again. For example, if you find something on Adobe and you go outside to some local subsidiary or something and then back into scope. More often than not, it’s generally accepted on these live hacking events. 

Laura: Maybe at the live hacking events, the overall environment is easier to control than hacking otherwise.

Fredrik: In these events, they collect a group of people to hack a company over a day or two in person. Then you have all the stakeholders at one place they can communicate about it.

Laura: Do some security researchers not report something if it’s out of scope and if it’s not that critical?

Fredrik: 100%. I really believe so. For example, Open Redirect is no longer on the OWASP Top 10. Finding an open redirect somewhere on a subdomain that might be explicitly out of scope and while you know it’s there, you wouldn’t report it with the risk of losing a score or a reputation or what-not on one of these platforms.

But at the same time ,if they have Oauth and misconfigured, I can use it to do some kind of authentication bypass or steal some sensitive tokens. Then all of a sudden you’re out of scope, then go in again, and you might have an account takeover and that would be usually considered critical.

And that companies would accept.

Laura: So it really depends on the impact and if you can demonstrate the impact.

Fredrik: Exactly. That’s, I think that’s the moral of the story. It’s the impact that matters. You need a proof of concept. Otherwise it’s kind of a void report.

Laura: Yeah. Because I used to work as a pentester and during an assignment you have limited time as well, so you don’t always have to provide the proof of concept. Pentesters look at it from a wider angle and they can see white box, the infrastructure, the servers and so on. So for me, it’s interesting how impact-driven the bug bounty community is. It’s a good thing.

Bug bounty is a growing industry

Laura: Bug Bounties have become a big industry but it has also gotten some criticism or scrutiny over how many active researchers there actually are, like this Dark Reading article by Robert Lemos on how bug bounties continue to rise. But the market has its own 1% problem

It’s kind of like the same as being a professional in anything, like a professional basketball player. And I think that was also something that was said here in Lemos’ article that was most likely a quote from Mårten Mickos that not everyone is going to succeed. And then there’s a group who succeed are really, really good at what they do.

Fredrik: Right. A lot of people are drawn into what they see on Twitter and the media that bug bounty is a growing thing. People go around on these live events where it’s an open environment and everyone always finds something critical, which is true. But to get there, that’s the hard part.

A vast majority might not have a professional take on how to report vulnerabilities, and then it might be people like yourself coming from pentesting background without experience on the same style of reporting.

Laura: … And having all of them rejected.

Fredrik: That’s the thing, right? If you go in with the mindset of a pentester, then I don’t think you would grasp it well, and it probably would be a bit discouraging. And once you get the grasp of it, then you need it to beat the rest that are in the game with vulnerabilities that will be accepted. So I think it could be a steep curve to get into.

Laura: You have been active since 2013 so you’re well ahead of people who are only starting out now. What are tips you have for beginners when trying out bug bounties?

Fredrik: Learn by doing. Submit reports and see how it works, and when it works. There are a lot of good resources out there and streamers that speak about how to do bug bounty, and educate people on what to look for.

Laura: What do you recommend?

Fredrik: I’m going to be a bit biased here, and recommend our fellow coworker, TomNomNom. I also like STÖK, a Swedish researcher.

Anything that Bug Bounties aren’t good for?

Laura: What is something that bug bounties are not really good for?

Fredrik: It’s not a silver bullet to your security. It’s a nice addition to an already quite mature organization in terms of security. It’s the many-eyes principle meaning you have more people looking and trying to break something – and someone will eventually be able to do that. 

If you start a bit premature with doing bug bounties as a company, chances are that it will be a bad experience for researchers. For example, it sucks for me if I report a vulnerability and it gets flagged as a duplicate. I’m probably not the first one to be flagged as a duplicate.

Laura: Or if the companies are slow to respond?

Fredrik: Yes. It must be horrible for the company as well. They get an overwhelming amount of reports as they can’t act on it fast enough, so then it’s not nice for anyone.

Start with private and then slowly expand the scope and amount of people that participate in your program and have it as an addition.

Laura: It’s a good way of getting rid of those low hanging fruit and understanding what you’re exposing there?

Fredrik: No, on the contrary. The bug bounty community will find all of it. They will find the XSS’s. If you can’t fix the XSS fast enough, then you will have a problem.

Laura: You will have multiple reports on the same XSS.

Fredrik: Yes, you will. The best researchers tend to go for more creative vulnerabilities and you want them to be looking deep into your system and catching hard-to-find things.

Laura: Do you think that all companies get equal treatment from bug bounty hunters as well?

Fredrik: No, I don’t think so. It’s absolutely a monetary interest. There are more and more companies joining these platforms, and there’s a limited amount of researchers that provide value. So then you have to compete with other programs to have researchers look at your stuff.

Researchers like big scopes

Laura: We’ve had multiple takeaways for our listeners in this episode already, but do you have any like one big takeaway for our listeners?

Fredrik: If you’re a company, start small, then expand. Researchers love big scopes, so try to reach that eventually. 

If you’re starting off with bug bounty hunting, don’t give up too soon. It takes time and practice to get into this, but it’s not impossible. Anyone can do it. Really. It’s just problem-solving.


Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Paid Hacker $75,000 for Uncovering Zero-Day Camera Exploits in Safari

Apple paid out $75,000 to a hacker for identifying multiple zero-day vulnerabilities in its software, some of which could be used to hijack the camera on a MacBook or an iPhone, according to Forbes.


A zero-day vulnerability refers to a security hole in software that is unknown to the software developer and the public, although it may already be known by attackers who are quietly exploiting it.

Security researcher Ryan Pickren reportedly discovered the vulnerabilities in Safari after he decided to “hammer the browser with obscure corner cases” until it started showing weird behavior.

The bug hunter found seven exploits in all. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts, and three of them allowed him to get access to the camera by tricking the user to visit a malicious website.

“A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”

Pickren reported his research through Apple’s Bug Bounty Program in December 2019. Apple validated all seven bugs immediately and shipped a fix for the camera kill chain a few weeks later. The camera exploit was patched with in Safari 13.0.5, released January 28. The remaining zero-day vulnerabilities, which Apple judged to be less severe, were patched in Safari 13.1, released on March 24.

Apple opened its bug bounty program to all security researchers in December 2019. Prior to that, Apple’s bug bounty program was invitation-based and non-iOS devices were not included. Apple also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

This year, Apple plans to provide vetted and trusted security researchers and hackers with “dev” iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple’s forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Can you find a bug in Xbox Live? Microsoft will pay you, if you do! – Disposable mail news

Think you’re an expert at Xbox? Think you can find a bug in Xbox Live? Well, Microsoft might pay you some bucks.

Microsoft has launched an official bug bounty hunt for the Xbox Live network in order to improve the program and services. The bug hunters will be paid up to 20,000 dollars but the payment will depend on the severity of the security issue and the minimum amount will start from 500 dollars.

Microsoft in their bug bounty program is looking for serious security and other vulnerability issues like accessing unauthorized codes and not connection problems. The bounty program covers a wide range of vulnerabilities but with strict restrictions, for example, they will not cover issues such as DDoS issues and URL Redirects and disqualify anyone who tries to phish or social engineer Xbox users and engineers and moves within (laterally inside) Xbox network while searching for bugs.

Usually, security researchers are the ones who gain most from bug bounty programs but Microsoft has announced that anyone can submit bug issues regardless of their background.

 Program manager at the Microsoft Security Response Center (MSRC), Chloé Brown, said in the blog post announcing the bug bounty program, that submissions will need to give proof of concept (POC).

“The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”

This is not Microsoft’s first bounty program, they have earlier launched similar programs for Microsoft Edge browser, their “Windows Insider” preview builds, Office 365 and many others with rewards up to 15,000 dollars. But their biggest one remains for serious vulnerabilities found in the company’s Azure cloud computing service where security researchers can earn up to 300,000 dollars for a super-specific bug.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How I hacked Facebook and received a $3,500 USD Bug Bounty – 10 minute mail

Find out how our Security Researcher Frans Rosén hacked Facebook and found a stored XSS for which he received a bug bounty reward. 

I recently found a Stored XSS on Facebook, which resulted in a Bug Bounty Reward. If you want to know how an XSS could be exploited, you can read my colleague Mathias’ blog post about it. Anyway, here’s how it went down.

I was actually working on finding flaws on Dropbox to begin with. I noticed that when using their web interface there were some restrictions on what filenames that were allowed. If you tried to rename a file to for example:

'">.txt

it was not possible. You got this error:

Error message

But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems. Using this method I was able to find two issues with their notification messages showing unescaped filenames. I reported these issues to Dropbox, they patched it really fast and I was placed on their Special Thanks page for the responsible disclosure.

It didn’t end here. As I was testing out this stuff on Dropbox, I also tried to figure out how this issue could be connected with other services. I noticed their Facebook-connection and got curious on how it worked. It turned out that they had a pretty nice function going on there:

“Dropbox has teamed up with Facebook so that you can do cool things like add files from Dropbox to your Facebook groups or send shared folder invitations to your Facebook friends.”

Nice! I created a group, and found the connection using the “Add File” icon on the Group wall:

FB Add File

I selected the file that I synced to Dropbox, it was called: '">.txt and shared it. Nothing awesome happened except the file being shared.

But then, I clicked the Share-link on the entry.
Shared link stored XSS

BAM! The title of the entry was not escaped correctly and I was able to get the Stored XSS triggered. By using the files in my Dropbox I could inject script code that was executed on Facebook.com.

I reported this to Facebook directly using their Whitehat Vulnerability Reporting system, told them it was an urgent issue and how I managed to get it executed. The issue was at that time only affecting the Share-popup inside the Group page and could only be triggered by user interaction, serious or not, it was clearly not affecting all users on Facebook.

At the same time I started looking on the URL of this Share-popup:
https://www.facebook.com/ajax/sharer/?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first
This URL did not work if you tried it stand-alone. That was good, the XSS issue looked like it could only be triggered by user interaction. But then I started googling and found that you were able to create a Share-URL by using this format: https://www.facebook.com/sharer/sharer.php?

So I changed my URL to that format:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first

BAM again! If you were logged in into Facebook, the code was executed as soon as you visited the link. Bad. Really bad. I emailed Facebook again, explaining that you could actually trigger the XSS by only visiting a link.

I was also trying out if I could get other services to behave in the same way. Dropbox and Facebook had this special connection, so I was curious if this issue was isolated or if I could reproduce it by using another service.

Went to Pinterest. Created a Pin named:

'">

and shared it on Facebook using my test account. I pressed the Share button on it:

Share Button stored XSS

I was amazed – it had the same issue.

Facebook replied to me, asking me how I was able to place the files on Dropbox with that filename. I explained how this was done and also told them that the service that you shared from didn’t matter, it was a general issue with the escaping that created a vulnerable vector on the Share-page.

They responded and said that it was indeed the same issue and they should look into it ASAP.

In the meantime, I tried the link on different devices. My iPhone could not get the XSS executed. As soon as I visited the page, I was redirected to https://m.facebook.com and that page did not have the same issue. But I also realized that you could force Facebook to skip the redirect by using a parameter called m2w, so if I appended that to the URL:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first&m2w
I was able to trigger the URL on both mobile devices and on desktop. Another email to Facebook.

One day after that I noticed that the POC-link did not work anymore, it was finally patched. I told them I could not reproduce it anymore and it looked like it was fixed.

One day later I got this email:
Facebook Frans Rosen

Nice one!

Date range:

  • Initial report and the POC-link executing the XSS just by visiting: Dec 22
  • Explained the Dropbox-syncing and extended the scope regarding services and devices: Dec 27
  • Vulnerability fixed: Dec 28
  • Received message about the Bug Bounty: Dec 29

Frans Rosén, Security Advisor

 


Disposable mail is a fully automated web security scanner created by some of the world’s best ethical hackers. Give our free trial a whirl and check your website for vulnerabilities like Cross-site scripting »


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 5: What is White Hat vs Black Hat hacking? And what is a bug bounty hunter/program? – 10 minute mail

Comparing White Hat to Black Hat hacking is kind of like comparing the good guys to the bad guys. White Hat hackers look for vulnerabilities and report them, whereas Black Hat hackers have a more mischievous agenda. They are the guys you usually see in the movies hacking a bank and stealing money. White Hat hackers are the people working to make the world a safer place – like your favorite team of hackers at Disposable mail!

Comment from our expert:
“White Hat hackers are security consultants and good hearted people that find vulnerabilities on sites and services and report them to the company to prevent them from being hacked in the future. Many companies offer ”Bug Bounty Programs” where they ask White Hackers to try and hack their sites in order to find loopholes, and in return they get a cash award for it.”

“The bigger the security breach they find, the more money the company is willing to pay. Hackers looking for those kinds of bugs and vulnerabilities on sites to get those kinds of awards are referred to as Bug Bounty Hunters,” explains Johan Edholm at Disposable mail.

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail launches a crowd-based security program to ensure an always updated service – 10 minute mail

We have strengthened our security team with a crowdsourced bug bounty program (currently in beta phase). The initiative, known as Disposable mail Crowdsource, allows us to bring in independent security researchers from all over the world. They will help us ensure that Disposable mail remains the most up-to-date and thorough security service for web applications.

dsc_2934-copy“I’m confident that the only way to keep up with elevated security threats is to bring in the best ethical hackers in the world. Black hats move fast, so we need to move even faster. By inviting some of the world’s top security researchers to our platform we will combine automation with crowdsourcing for the first time”, says Rickard Carlsson, CEO of Disposable mail.

How does Disposable mail Crowdsource work?

The security researchers submit their findings to Disposable mail’s security team, who evaluate their Proofs of Concept before adding them to the service, ensuring only high-quality issues are implemented. The researchers will receive payouts based on the number of unique hits for their submission. The more critical the vulnerability is, the higher the payout level will be. The monetary rewards are processed through Bugcrowd, one of the most well-established marketplaces for bug bounty programs. The program is still in beta phase and we are currently improving functionality and inviting researchers.

“As organizations of all sizes face a growing number of cyber security threats it’s no surprise that more and more are turning to the power of the crowd to stay ahead of their adversaries,” said Casey Ellis, CEO, Bugcrowd. “Bug bounty programs have become a critical component of a comprehensive security strategy. Disposable mail’s adoption of this model is further proof of this, and we’re pleased to be able to facilitate that adoption.”

An extension of our top-ranked security team

frans-2016Our Stockholm-based team already includes several prominent bug bounty hunters such as Frans Rosén. He is a top-ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne. He agrees with Carlsson that crowdsourcing is the way to go forward in an ever-changing security landscape:

“The best security researchers will never take a regular 9-5 job at your company, but they are more than willing to contribute with the latest security issues, keeping our service up-to-date and earning money at the same time. It is a win-win situation”, says Frans Rosén, who is well acquainted with the community of security researchers.

Carefully selected researchers

Disposable mail was founded by the world’s leading white hat hackers in 2013 and we are working hard on maintaining the same quality. Disposable mail Crowdsource will therefore grow slowly and we will distribute invitations as we are ready to add new researchers. One of the security researchers who has joined the initiative says:

“Disposable mail Crowdsource is a hybrid between traditional bug bounty programs and automated vulnerability scanners. Researchers can follow the amount of hits on their submitted module, which works as a stimulant. From a client perspective I’d say that the Crowdsource program is of value, making Disposable mail a scanning service backed by the “crowd”.

[VIDEO] Learn more about Disposable mail Crowdsource from our CEO Rickard Carlsson and Co-Founder Fredrik Nordberg Almroth.

Interested in joining Disposable mail Crowdsource or have any questions about the initiative? Drop us an email: hello [at] detectify.com


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource monthly recap | July 2017 – 10 minute mail

Disposable mail Crowdsource is our crowdsourced security initiative that allows us to implement white hacker knowledge into our service and work with the world’s best security researchers. Read our community manager Kristian Bremberg’s recap to find out what’s been going on in the Crowdsource community last month.

In July, Crowdsource has gotten many interesting submissions from hackers around the world, proving that hacking is in full swing even during the summer months.

From enterprise systems to content management platforms

This month’s submissions vary in severity and cover a wide range of technologies, including enterprise systems and consumer content management platforms.

Many of the submissions are vulnerabilities that affect WordPress plugins. However, we have also received submissions with a high severity (Remote Code Execution and SQL injection) affecting rather exotic systems. The variety in July’s submissions shows that we can find vulnerabilities in most systems thanks to the diverse skillsets of our Crowdsource hackers.

Over 800 hits

Crowdsource submissions are built into the Disposable mail service, allowing us to scan hundreds of websites for the submitted vulnerabilities. This way, researchers can extend their reach and make an impact with the help of automation while getting paid for every unique finding based on their submission.

Disposable mail Crowdsource total hits

Disposable mail Crowdsource | July 2017

In July, Crowdsource submissions generated over 800 hits on our customers’ sites, bringing the total number of hits since the platform’s launch to 5940. That’s 5940 vulnerabilities discovered by modules based on Crowdsource hackers’ security research, a number that continues to grow as our customers run Disposable mail scans on their web applications. White hat knowledge leveraged by the power of automation is a force to be reckoned with!

Crowdsource improvements

To make the Crowdsource experience better for our hackers, we have added several improvements to the platform, such as the frequently requested ability to stay anonymous on the leaderboard, and faster payouts via BugCrowd.

As Crowdsource continues to grow, Disposable mail security researcher Linus Särud will be joining the Crowdsource team. Linus has been working at Disposable mail for over 2 years years and will help us develop the platform so that our customers can access even more white hat hacker knowledge.

Stay tuned for next month’s Crowdsource update!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource Monthly Recap | August 2017 Breaks New Records – 10 minute mail

Disposable mail Crowdsource is our crowdsourced security initiative that allows us to implement white-hat hacker knowledge into our service and work with 100+ of the world’s best ethical hackers. Read our community manager Kristian Bremberg’s recap to find out what’s been going on in the Crowdsource community the past month.

August marks the best month so far

In August, submissions from Disposable mail Crowdsource generated more than 1500 unique hits in total, which is a monthly all-time high! Security never sleeps, so a big thank you to all our Crowdsource hackers for submitting new vulnerabilities that helped secure our users.

Top finding: URL path traversal due to url-encoded slashes

Nearly half of the hits were generated by one single module: URL path traversal due to url-encoded slashes. The submission itself is not critical, but can easily be used together with other vulnerabilities, which could lead to severe consequences. The vulnerability relies within certain load balancers configuration, which makes it possible to append paths via path traversal so that data (such as tokens) in the URL can be leaked to an attacker’s website.

Severe Flash vulnerabilities

August was also the month of severe Flash vulnerabilities. A great deal of them were submitted to the platform, such as XSS vulnerabilities in bookContent.swf, ZeroClipboard.swf and Jplayer. This proves that Flash is a dying technology with increasing amount of vulnerabilities, and we hope that this trend keeps rising; more submissions for technologies that are disappearing from the Internet, such as Flash, Java and Silverlight.

This month’s CS Hacker: Evgeny Morozov

We would also like to thank Evgeny Morozov, a highly skilled hacker in Crowdsource, who found a vulnerability which made it possible to validate a domain in Disposable mail by using a DNS spoofing vulnerability.

For this, Evgeny earned a place in our Hall of Fame.

Big plans for the future

The team behind Disposable mail Crowdsource has planned the roadmap for the upcoming years. We aim to make Crowdsource the ultimate bug bounty experience, and have a lot of plans on how the platform should develop in the future. We believe in the idea to include real, top skilled hackers in building a security tool, which means its authentic white-hat knowledge that will make the Internet a more secure place.

We’re looking for more researchers

If you’re ready for a new challenge in your bug bounty life, we recommend you to try out Disposable mail Crowdsource. We are inviting the best hackers from all over the world to join our platform – and all competences are welcomed. With your unique way of hacking, you can both make the Internet a secure place while earning a bounty along the way! If you think you have what it takes, please write a short introduction to [email protected], and we will get back to you if your skillset is relevant for our platform.

Read more: How to become a Crowdsource hacker 
That’s all for now!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource Monthly Recap | WordPress vulnerabilities galore – 10 minute mail

With over 1200 hits generated by Crowdsource submissions, September was our second best month so far. We have added many new vulnerabilities affecting WordPress, both core and plugins. A few of the plugins were used by a large amount of WordPress installs, as you can read in our article where we list all our newly added vulnerabilities. Many of these modules were submitted by this month’s hacker Yasin Soliman.

Crowdsource monthly recap - September

Improvements in the platform

New vulnerabilities are far from all that has happened in September. The platform and community have had a few big changes, and many of the improvements were based on the feedback we received from members of the Crowdsource community. We sent a survey to all invited researchers, and we want to thank everyone who took the time to answer it. The results showed us that we are focusing on the right things, and the platform will see a few major changes that our researchers will love. Stay tuned!

The first update we’ve released is that researchers from Crowdsource can now get a “fixed bounty” for their submissions. This means that the researcher will receive a fixed payout besides the regular payout per hit. We hope that this change will encourage researchers to submit modules of high quality that may not generate a lot of hits, but are equally important to us.

Top finding

In September, the top finding was an open redirect affecting the latest version of WordPress.

Hacker of the month

The Disposable mail Crowdsource hacker of the month is Yasin Soliman, a 17-year old UK based security researcher who submitted more than 25 valid modules to Crowdsource in September. We got the opportunity to interview Yasin about his participation in Crowdsource, security role models and his view on other bug bounty programs.

Guest Blog: Don’t Leave your Grid Wide Open

Our guest blogger and Disposable mail Crowdsource hacker Peter Jaric explains how Selenium Grid could be exploited to read files on the server.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the team: Kristian Bremberg – Community-minded ethical hacker who loves to help out – 10 minute mail

“My whole life is circling around IT security,” Kristian Bremberg says, half-jokingly. The Community Manager of Disposable mail’s ethical hacking platform Disposable mail Crowdsource is passionate about defensive security, building communities, and helping people learn.

Meet the team: Kristian Bremberg, Disposable mail Crowdsource

Got his first computer at 16

Hacking hasn’t always been part of Kristian’s life. As a child, he dreamed of becoming a cargo ship captain and crossing the Atlantic ocean. His plans for the future changed when he got his first computer at the age of 16 and an internet connection two years later. The potential of the web instantly sparked Kristian’s interest. “The concept of search engines just amazed me. You can search for anything and find the answer, so in the beginning, I would just try to challenge Google day in and day out,” he explains.

It all started with games

Kristian eventually found his way to the online gaming community and started hacking games. “Funnily enough, it all started with cheating in games,” Kristian laughs. He soon moved on and started learning about security and making the internet more secure. “Maybe it’s my conscience after cheating in games, but I’ve always been on the defensive side of security, aiming to do good,” he adds.

From malware and IT forensics to web hacking

After discovering security, Kristian began to explore different areas in order to learn as much as possible. Over the last couple of years, he has worked with Tor, malware detection and IT forensics. Forensics fascinated him so much that he wrote a book on the topic for his friends: “It’s not published and it wasn’t serious or well-formatted, I did it for fun. I was really into IT forensics, it was the only thing I could think about!” However, his interest in security did not stop there and Kristian eventually found his way to web hacking and bug bounties.

The community spirit

Being part of a community and helping others learn has always been crucial in Kristian’s security journey: “I’ve done a lot of community stuff, hosting CTFs and writing guides, for example. I love being part of a community and helping people.” His active presence in the web security community was what brought him to Disposable mail as he met two of the company’s founders at Sec-T, a Swedish security conference.

Kristian liked Disposable mail’s vision of a safer internet and started out by writing guest blogs on a range of topics such as HPKP and Tor. Considering his knack for helping others learn, it is no surprise that his articles aim to show readers how to configure security features! “I try to focus on things that help people. I’m not a big fan of just finding vulnerabilities, I’m a fan of finding solutions,“ Kristian explains.

Building Disposable mail Crowdsource

Since joining Disposable mail in 2016, Kristian has been working as Community Manager at Crowdsource, Disposable mail’s crowdsourced security platform. He was part of the Crowdsource initiative from the very beginning and was there to welcome the first members to the community. “People are so curious about Crowdsource and love the innovative idea,” Kristian says. Crowdsource allows ethical hackers to submit their findings that are then built into the Disposable mail scanner. The community now has over 100 members and has become an important source of Disposable mail security tests.

A new kind of bug bounty workflow

Kristian explains that Crowdsource complements researchers’ participation in traditional bug bounty programs. Researchers can report findings on platforms like HackerOne or Bugcrowd and then submit the same vulnerability to Crowdsource, where their submission can help secure thousands of websites.

“As soon as a researcher finds something that affects an entire platform, framework, or technology, they can come to us. It fits perfectly into their workflow, challenges them, and gives their research a broader scope,” Kristian says and explains that hackers have different approaches to Crowdsource. “Some like to submit low severity vulnerabilities that generate a lot of hits, while others prefer to submit critical findings. 1000 hits at $1 per hit or 10 hits at $100 per hit will get you a $1000 payout either way, so it’s a matter of looking for what  you find most interesting.”

The freedom of working remotely

Kristian lives in Skåne in the south of Sweden and works remotely, visiting Disposable mail HQ in Stockholm for team events and meetings. He says the freedom of working remotely suits him, although it can be challenging to get used to it: “I like remote work because Disposable mail is really about knowledge sharing and doing things together. I love working with my colleagues and across different teams!”

Kristian’s daily tasks involve much more than just community management: “I develop modules, that is, the submissions that Crowdsource members send in. I also do research, testing vulnerabilities to figure out how to implement them and improve existing modules.” Alongside his work with the backend team that develops the core service, he often joins sales and marketing meetings to share Crowdsource news and learn about customers’ feedback and requests.

The growing Crowdsource community

Kristian’s plans for Crowdsource are ambitious, but his passion for the community leaves no doubt that Crowdsource will continue to grow. One of his key goals is to encourage developers without extensive hacking experience to join the platform. “Developers have great insights into how their technologies and frameworks work,” Kristian explains, adding that submitting a finding to Crowdsource does not require a background in security research.

His advice to aspiring Crowdsource members is simple: “Focus on what you think websites are vulnerable to. Today, many vulnerabilities are specific to websites rather than technologies, but what we’re looking for are findings with a wide scope.”

Q&A with Kristian

iPhone or Android? iPhone! I used to hate iPhone and only used Android, I rooted them and I was such an Android geek. Now I’ve grown up and I just use my phone, I don’t play with it anymore.

Mac or PC? I have both, and a Linux! I use Windows, I use MacOS, I use Linux! On a daily basis, I actually use them all.

#1 security advice? That’s a really hard question! Many people won’t agree with me, but I actually love CSP. If you get it to work, you can protect against CSRF, XSS, HTML injection and stealing CSRF tokens. There’s so much you can do with modern web browser security features. Some people prefer to focus on protecting the website, but I think that protecting the client is really important!

Favourite security issue? I would say server-side request forgery, I think that vulnerability is so interesting. When you first find it, it’s kind of serious already, but if you try to get internal data, you can pivot and get it to an RCE and you can even try an SQL injection and so on. I like that because I like vulnerabilities where you can pivot.

Favourite security resources? The netsec subreddit is the best source for IT security news in general. I also like public HackerOne reports, they’re fun to read and you always learn a lot by reading them. The WordPress vulnerability database is interesting too. Other than that, Twitter is absolutely great and it’s the best way to get news quickly!

Think Disposable mail Crowdsource sounds interesting? Read Kristian’s article on how to become a Crowdsource hacker, then head over to the official Crowdsource website to join the community. 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.