Meet the team: Tom Hudson – Collaboration is the way forward – 10 minute mail

Some know him by his hacker handle, TomNomNom. UK-native Tom Hudson started at Disposable mail as a Senior Security Researcher, and he is now the Tech Lead for Security Research & Module Development on the Crowdsource team.

His passions include fixing and reshaping most things from software to furniture and spending time with his two kids. He also values collaboration, and this has played a significant role in his journey going from software engineering to ethical hacking:

Photo of Tom Hudson aka TomNomNom

Image of Tom Hudson, Tech Lead for Security Research at Disposable mail

Somewhere in Yorkshire

Tom lives in Yorkshire, the UK, somewhere near Leeds. Since he was a kid, he wanted to become an inventor and he found that becoming a software engineer was a better choice, since he could meet his interest in creating something new, without the cost of raw material. Hence, he studied Electrical and Electronic Engineering at Bradford College and started his career as a network engineer. 

Over a decade has passed since then and Tom now carries a heavy backpack of experience that encompasses everything from DevOps and Solutions Architecture to People Management and Training. 

A passion for fixing things and giving knowledge

Tom has a collection of over 1000 tools and spends most of his time in the garage reshaping objects or fixing some of the toys that his 4- and 6-year-old kids damaged while playing. Fixing broken things has become more of a job since he started his career in Development and therefore, in search of a new hobby, he stumbled across training and education. “I have a passion for learning and finding out how things work,”  he says, “that is maybe why I thrive the most in a training role.”

Besides fixing tools and toys, Tom is passionate about learning new things and he feels the urge to share this knowledge with others as a trainer:

“The good thing about having a training role is that it pushes you to be better at conveying complex topics in accessible ways to a varied audience. The feeling I get from giving others tools to learn by themselves is truly rewarding.”  

From Network Engineer to a Hacker

Tom started his career as a Network Engineer at a small company that provided Information and Communications Technology (ICT) support to local schools. He was already interested in Cybersecurity then but never imagined that being an Ethical Hacker would be his full-time job one day.

His first hacking experience arrived when a former employer invited all employees to hack their system to help find vulnerabilities and breaches. This experience landed him on the HackerOne (a bug bounty platform) scoreboard and he was suddenly invited to different hacking events. 

 

As he got introduced to the bug bounty community, he realized that his previous knowledge as a Software Engineer was extremely valuable as he could use his competencies to build new tools and automate his hacking processes. This was received with a lot of curiosity by the community who started to follow him on different bug bounty platforms. The more connected he was with the community, the more he started to collaborate with other ethical hackers and build more automation for finding security flaws.

His ability to build these tools and share knowledge with other members has led him to many high-payout findings and interesting collaborations. In 2019, Tom landed one of the biggest bounties at Hackerone’s H1-4420 and won the title of Most Valuable Hacker and later led a workshop on Cybercrime with the local police.

Changing the narrative

Collaborating with the local police has made Tom better understand the need for education in cybersecurity and for a different tonality when talking about hacking.

Tom: 

Sometimes things concerning cybersecurity are legitimately scary. But I think that many marketing campaigns are trying to constantly push for a narrative that creates fear around the topic of cybersecurity. This is pushing people away, as there are a lot of misunderstandings.” 

He believes that the future will bring more bugs and breaches, but hopefully, also more scanners, more software and ultimately, more ethical hackers. He says it feels like the Internet is mature but, in reality, there is a lot of room left for growing and discovery.

Tom believes that, as high-profile data breaches will become more common, there is an increasing need for changing the narrative when speaking about them and hopes that governments will recommend open corporate responsibility disclosure programs. He says, “some governments have already started doing so, and this might reduce the perceived shadiness that hackers and cybersecurity are associated with.

The importance of diversity

While there have been interesting improvements in how people and governments understand cybercrime, Tom also acknowledges that there is still a lot to do. In particular, he believes that the cybersecurity industry needs more diversity alongside collaboration.

He says: 

“I sometimes feel like people who don’t happen to be white and male might have a more difficult time getting started in the community and I believe that especially in such a complex field as cybersecurity, diversity is incredibly important. Monocultural teams so often fail to consider cases that are important to many.” 

Tom mentioned that one of the aspects that were highly interesting about Disposable mail was diversity:

In the past, I’ve found it difficult to drive diverse thinking in my teams. At Disposable mail, it happens naturally, thanks to the gender and nationality balance.

Disposable mail – a diverse place for sharing

We asked Tom for other reasons for joining Disposable mail and he revealed his motivation to join a company that is aligned with his values of diversity and provides others tools to learn for themselves. 

He explains:

At Disposable mail, I can be part of the Hacker School project, which is a session in which we teach our customer-base, some of which may be non-security experts, about cybersecurity and give insight into the mind of a hacker. Sharing knowledge is at the core of Disposable mail’s values and products, and being part of the team means that I get to share what I know in different conferences but also within the team.” 

Tom talks about the allocated Knowledge Sharing sessions that are organized by employees at Disposable mail, where members of different teams get to share their work, passions, and hobbies with the rest of the organization.

He adds:

“On top of that, the Disposable mail team seems to be aware of the importance of work-life balance and mental health. The people here are people, not just workers and it is humbling to work in such a human environment.

From a technical perspective, Disposable mail poses a whole new challenge for me as what we are doing is super interesting and fun stuff. It feels like I have a constant influx of new things to learn!” 

The way forward

Moving forward, Tom suggests that we should lead with these values and try to be more collaborative with other companies in the industry.“We should take the community spirit to businesses,” he says, “and collaborate with our competitors or companies in the cybersecurity industry”. 

Tom believes that more collaboration in the cybersecurity industry will be beneficial, “instead of looking at each other as competitors, we should enable each other and work together to fix the complex world of the internet.”

Quick Q&A with Tom Hudson

Mac or PC? A PC running Linux.

Android or iOS? Android; the closer to stock, the better!

What’s your #1 security tip? Don’t reuse passwords and do enable two-factor authentication.

How do you keep up-to-date with tech and business? Mostly through following interesting people on Twitter.

What’s your favorite Disposable mail blog post? Bypassing and exploiting Bucket Upload Policies and Signed URLs

 

If you are ready for a new challenge to bring a more collaborative spirit to web security and work with top-ranked ethical hackers like Tom Hudson, take a look at our open positions to join the teams in Stockholm or Boston! 


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gehaxelt – How WordPress Plugins Leak Sensitive Information Without You Noticing – 10 minute mail

Sebastian Neef (@gehaxelt) is a IT security freelancer and a top contributor from the Disposable mail Crowdsource community. In this guest blog, he looks at ways WordPress plugins leak sensitive data in the wild:

Guest blog post from Crowdsource hacker gehaxelt

The OWASP Top 10 puts Sensitive Data Exposure on the 3rd place of the most common web security issues. In this blog post we will have a look at sensitive data exposure that you might not be aware of. 

WordPress is probably one of the most used Content Management Systems out there. The vast amount of available WordPress plugins certainly plays a huge role, as it allows your WordPress blog to become a full-fledged online shop (i.e link: woocommerce). But relying on 3rd-party plugins to customize your blog or shop comes with certain security risks. There are no restrictions on who can publish a plugin on wordpress.org, so the code quality and therefore security can vary a lot. 

I have analyzed how the most popular WordPress plugins leak information with remediation tips so you can continue using WordPress in a more secure way. 

This research was part of my attempt to get some more valid submissions to the Disposable mail Crowdsource platform, so my focus was only on the top-ranking WordPress plugins. To qualify as a valid submission for Disposable mail Crowdsource, the vulnerable plugin needs to have at least 300,000 active installations and the issue needs to be exploitable remotely without any form of authentication. At least for the information disclosure the criteria was met for the following plugins: 

* A module for this plugin was not implemented due to an increased request complexity.

Taking all installation counts from the above list together and assuming that one installation equals one website, we end up with about 19 million websites that are potentially affected by an information leak issue.  

Let’s first have a look on what kind of information is leaked by those plugins. I think there are three categories of leaked data, which also seem to match with certain CWE (Common Weakness Enumeration Database) categories:

    • Credentials (CWE-200: Information Exposure)
    • Personal Identifiable Information (PII) (CWE-359: Exposure of Private Information (‘Privacy Violation’))
    • System Information (CWE-215: Information Exposure Through Debug Information)

Credentials

From the attacker’s perspective, gaining access to credentials is the jackpot. It might allow them to obtain usernames, passwords or API keys that could be used to escalate their privileges. A WordPress administrator account is allowed to edit themes or plugins, thus gaining remote code execution is trivial. Leaked API keys are no better, because they might allow the attackers to abuse them, gain unauthorized access or just create huge financial damage.

Here’s a list of things that fall into this category and that I’ve seen leaked:

    • Passwords to protected posts
    • Backup files or zips
    • SMTP credentials

Personal Identifiable Information (PII)

The next level in the hierarchy is, in my opinion at least, personal identifiable information. Especially in 2020 with the new digital information processing laws and GDPR, it might become a company’s nightmare if customers’ PII become public due to hefty fines. For that reason, I was even more surprised to find several plugins to leak the following customers’ or users’ data:

    • Names
    • Email addresses
    • Usernames

System Information

The third category comes down to the remainder of information about the system running WordPress or its configuration. Most of the following types might not have direct, critical security implications, but could still give the attacker useful information for more sophisticated exploitation chains. Most of the WordPress plugins were leaking the following information:

    • Internal host names 
    • Database tables, SQL queries
    • Security logs
    • Full path disclosures
    • File names
    • Software versions (OS, PHP, MySQL, WordPress)
    • PHP Configuration (safe_mode, memory limits, execution limits, etc)

So far we have discussed what plugins leak information and what kind of information is leaked, but we haven’t looked at how this information is potentially exposed to the attackers. 

At the core, the issue lies within WordPress’ file permission scheme which mentions that the wp-content/ folder should be writable, because some plugins might need write permissions there. Depending on how secure you or your WordPress administrator is, the whole wp-content/ might have full rwx permissions, and therefore most plugins choose to create directories and files there. 

This is not a problem by itself, but becomes one as soon as some plugins begin to create log files with the above discussed information that the web administrator does not know about. Plugin developers are not guaranteed a writable “data” folder outside the document root, where they could securely store such log files containing sensitive information in a non-volatile way. PHP’s sys_get_temp_dir could be an option, because it is system agnostic (not everyone runs Linux), but it might not offer persistence. The latter is pretty important for log files. Therefore, most plugin developers opt for a folder that they can assume to be writable on most WordPress installations as this stackoverflow thread suggests:

    • wp-content/uploads/
    • wp-content/*

The former works in most cases, because files uploaded through WordPress’ media library end up there, so it is writable to not break core functionality. The latter includes all subfolders, such as wp-content/plugins/ or wp-content/themes, if the administrator wants to easily install new plugins or edit themes.  

If you are a security-minded person and you are running a WordPress instance, now is the time to ask yourself if you have reviewed the source code of all active plugins, or did you simply install a plugin, because someone needed it to change the website’s functionality? You should review your plugins, but first continue reading to know what you should look for.

I have noticed two different patterns that developers use to create log files, and only one of them has basic security principals in mind. However, both approaches become ineffective security-wise once the administrator forgets to properly configure the web server. Therefore, we cannot just put all blame onto the WordPress plugin developers for leaks, but we need to reinforce basic security principles at any time.  

Static file paths

Developers are not naturally security experts, and often they focus on building solutions that work. There is nothing easier than using WordPress’ wp_upload_dir() or WP_CONTENT_DIR to obtain the path a writable folder and appending a plugin specific suffix. 

Here is a list of example paths:

/wp-content/all-in-one-seo-pack.log
/wp-content/uploads/mc4wp-debug.log
/wp-content/uploads/wp-google-maps/error_log.txt
/wp-content/plugins/ewww-image-optimizer/debug.log
/wp-content/plugins/all-in-one-wp-migration/storage/error.log
/wp-content/plugins/all-in-one-wp-migration/storage/import.log
/wp-content/plugins/all-in-one-wp-migration/storage/export.log
….

Let’s recall that the wp-content/ folder lives in the DocumentRoot is accessible from the internet, thus all the files within it are usually accessible, too. This makes it trivial for an attacker to access those log files and their content by navigating to the well-known paths.

Random file names

A good portion of the plugins implemented their logging functionality with more security in mind. By adding a random portion to the file name, it cannot be requested directly without knowing the random part.

Depending on the implementation, the portion’s randomness varied greatly:

  • an incremented 6-digit number (not really random)
  • a randomly generated string
  • a cryptographic hash (MD5 or SHA)
/wp-content/cache/log/000000/dbcache.log
/wp-content/logs/newsletter/antibot-2018-09-87agc333.txt
/wp-content/uploads/wc-logs/geoip-2019-03-17-57e9aab19e941762b0e731c2f65dc325.log
….

To a developer, this approach might look pretty robust and secure, but it disregards the fact administrators also play a role. Given that WordPress is an entry-level CMS, it might be set up and operated by novice administrators, who just followed a tutorial “to make things work”.

The file name randomization is instantly defeated if the administrator (accidentally) forgets to turn off “directory listing” on their web server. In such a case, an attacker just needs to browse to the respective folders to get a list of the random file names. 

index of /wp-content/uploads/wc-logs

While working on this topic, I have found several examples of such misconfigured web servers on the internet. It is not just a hypothetical scenario. 

If you have made it this far, you might be asking yourself how I discovered all those log file disclosures. I will happily answer this question in this section, so that you can review your own plugins.  There were basically three approaches to this topic: 

    • Find existing files
    • Review the plugins’ source code
    • Use a search engine

While the first method did not show anything interesting in particular, the second one was the most fruitful, but also the most time-intensive. There were over 115 plugins to review, so naturally I could not invest the time to do a thorough in-depth source code review, but rather took some shortcuts and educated guesses. Last but not least, I used search engines to discover files that I might not have seen with the two methods before. 

Let’s have a look at them in detail. 

Find-ing existing files

find is a small linux command line tool to quickly find files or directories in a file system hierarchy. After installing some plugins, I ran it on my test WordPress instances like this:

$> cd path-to-wordpress/wp-content/
$> find . -type f -name ‘*log*’ -ls 
$> find . -type f -name ‘*txt*’ -ls
987828	4 -rw-r--r--   1 gehaxelt gehaxelt  	229 Feb  9  2018 ./sc_cache.txt 

This showed me a few files containing log or txt, thus matching either of the two regular expressions. It is by far the most efficient method to check if such files exist on your web server. If you are administering any WordPress instances, take a note and check your web servers  after you have finished reading.

Source Code Review

Most of the work done was source code review using a few lines of bash, grep and less. 

As the first step, I downloaded all plugins with more than 300k installation from the wordpress.org website and extracted them into separate folders. A few lines of python helped with that task. 

The next step was to look for and identify paths where log entries are written to. PHP offers a few methods such as file_put_contents or fopen to create files. By having access to the source code, using the command line text searching tool “grep” was a suitable choice. Keywords such as “file_put_contents”, “file_get_contents”, “fopen”, “log”, gave a good idea where to look for. 

From there, it became going bottom-up through the code and deducing where the file would be written and if it is randomized or not. 

Google Dorks

(Ab-)using search engines and their specific search keywords for security purposes is often referred to as “dorking”. No sophisticated hacking tools are required for such an attack, just a web browser, a search engine such as google and a query like inurl:"/wp-content/uploads/wp-google-maps/error_log.txt" would be enough to find a whole lot of affected websites.

I took the route of searching for a plugin’s directory name while adding keywords like log or txt etc. It gave mediocre results, but that was better than nothing and also helped to verify the findings from the previous step. 

Overall the results using this method are limited to web sites that usually have DirectoryListing enabled and make their contents indexable by certain search engines. 

We all know that breaking things is much easier than fixing it. I tried to come up with ideas for how to prevent such information leaks to make the ecosystem more secure.  

Rule #1: Use randomized file names

Static file paths make it insignificant for an attacker to check the existence of a file and download it. Using randomized file names might take a bit more time for a developer to implement, but boosts the security immensely. Especially since the majority of web servers should have directory listing disabled, so that an attacker cannot guess the correct file name. 

Rule #2: Prevent directory listing

Even the scenario of a directory-listing enabled web server can be mitigated by the plugin developer: For every folder that is created and where plugin-specific log files are written, an empty index.php file should be created. On literally every web server the index.php file is configured as the DirectoryIndex, meaning instead of showing all contents of a directory, this file will be executed. As an empty file has no content, the attacker won’t see a list of file names, but an empty page. 

Rule #3: Workaround

If Rule #1 and Rule #2 are not followed by a plugin, then one could try to move the created folder outside the “DocumentRoot” (i.e. using a symlink). Alternatively, explicit rules must be created to prevent access to static or randomized log files. Depending on the used web server, simple “.htaccess” files could be used. 

Rule #4: WordPress hardening

The WordPress developers have a lengthy article on WordPress security and hardening. At the time of writing it contained a neat statement which fits this topic perfectly: 

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. 

It is always a good idea to go over this article and check if oneself has considered and implemented the given hardening tips.

To round this section up, I firmly believe that most plugins should be able to implement and follow Rule #1 and Rule #2. The other two rules, Rule #3 and #4, lean more towards the side of the system administrators, but we cannot take them out of the equation. If a WordPress instance is provided for you, don’t forget to ask the responsible administrator to go over the issues mentioned in this article.  

All of the initially listed WordPress plugins and their potentially leaked log files have been implemented into Disposable mail’s automated security and asset monitoring since September – November 2019. The security modules will give you insight into which log files on your web server are discoverable by an attacker. That means, the modules can:

    • easily identify the “static file path” log files 
    • detect the “randomized file path” log files, too, as long as the randomization can be circumvented with the method discussed earlier

My research doesn’t stop here. I am continuously pursuing this topic in order to bring more log file disclosures to users to secure more websites through the Disposable mail and the Crowdsource platform.

 

Written by:
Sebastian Neef
IT Security Freelancer and Disposable mail Crowdsource hacker

Sebastian Neef (@gehaxelt) is a security researcher at heart and has been interested in IT security since the age of 15. He became an IT security freelancer and consultant during his A-Levels back in 2012 when bug bounty and responsible disclosure programs were just starting out. Sebastian enjoys sharing his knowledge on conferences or his blog 0day.work, breaking things, playing CTFs with ENOFLAG and helping companies to improve their security. 


How can Disposable mail help?
Disposable mail works with highly skilled ethical hackers like Gehaxelt to crowdsource the most up-to-date security research. Check for the latest WordPress vulnerabilities and 1500+ other known vulnerabilities with a start of a Disposable mail scan. Begin your 14-day free trial today.

Additional reading:
Improving WordPress plugin security from both attack and defense sides

How to Improve Your WordPress Security: Plugins and Themes


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Kristian Bremberg, Disposable mail Crowdsource community manager: “Crowdsourced security gives researchers freedom” – 10 minute mail

The Disposable mail Crowdsource platform allows security researchers to submit newly discovered exploits and incorporate them into Disposable mail’s automated security service. At the heart of the initiative is the community of skilled web security experts from across the globe. We have talked to our community manager Kristian Bremberg about his background, the art of building communities, and the power of the crowd.

Kristian Bremberg, Disposable mail Crowdsource

How did you get into web security?
I have always been interested in integrity and personal data. So many people are online nowadays that there is a natural link between integrity and web security. I eventually became active in the web security community, both on Twitter and on various forums. I established one of Sweden’s largest online communities for security researchers and arranged meetups that brought people closer together based on their joint interest in web security.

How did you come across Disposable mail?
I knew of Frans Rosén and other security experts, which is how I found out about Disposable mail. I thought it was an interesting product and I knew the people behind it were fantastic researchers. Over the years, I have followed the company’s development and security research content, and also contributed by writing technical guest blogs for Disposable mail Labs.

What is crowdsourced security?
Crowdsourced security gives researchers freedom. Instead of having to reach out to companies one by one, which involves figuring out who to contact and informing them about an exploit, they can submit a module to Disposable mail Crowdsource. As soon as their submission is processed, they  know that their contribution will make an impact and help secure hundreds of websites. Disposable mail doesn’t just publish the vulnerability, but does something bigger with it by incorporating it into the scanner.

Based on your experience from building a web security community, what have you learnt about maintaining a community that functions well?
Communication is vital! Being able to understand what works and what doesn’t for the community members. It’s really important to listen to them and show them that their voice is being heard.

What does your role as community manager entail?
My key task is to communicate with researchers, listen to them, and encourage them to share feedback and ideas. There is also a more technical side to the role as I will be the researchers’ point of contact for questions related to module submissions, prioritized technologies and proofs of concept. I think the role fits me really well because I am interested in security and have experience in a range of programming languages, but I am also very social and enjoy communicating.

How can we reach out to the best ethical hackers?
It’s all about involving key personalities that play an important role in the community.

What makes Disposable mail Crowdsource unique?
The personal contact we offer researchers. We already have some well-established security profiles contributing to Disposable mail Crowdsource and we are working closely with them to build a tight-knit community, take time to get to know every researcher, and maintain the personal communication. On top of that, the platform allows researchers to reach out to a wider audience because Disposable mail has a global customer base. This way, submitting an exploit can really make a difference.

How is Crowdsource going to change Disposable mail’s service?
It will definitely improve the scanner, the modules will be even better because they will be updated more frequently and will cover more programming languages and technologies. It will also make a difference for the community; ethical hackers will see Disposable mail in a new light, as a company that understands how they work, allows them to contribute to the tool and gives them better reach.

To find out more about Kristian’s work, follow him on Twitter @dotchloe. If you have any questions about Disposable mail Crowdsource, let us know at hello[at]detectify.com!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests March 15, 2017: WordPress, Joomla and Drupal – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the security tests added to the tool with our latest release:

  • testcgi.exe XSS
  • WordPress NextGEN SQL injection
  • WordPress soundcloud-is-gold XSS
  • WordPress userpro XSS
  • Joomla! com_news SQL injection
  • Joomla! com_publication SQL injection
  • Joomla! com_filecabinet SQL injection
  • Joomla! com_frontpage SQL injection
  • Joomla! com_webgrouper SQL injection
  • Joomla! com_phocadownload SQL injection
  • Joomla! com_jdownloads SQL injection
  • Drupal error_log disclosure
  • PHPSysInfo Open Access
  • SSH Private Key Exposure
  • myDBR XSS
  • Jobportals XSS

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests March 23, 2017: CVE-2017-5638 and Joomla SQL injections – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the security tests added to the tool with our latest release:

  • CVE-2017-5638, Apache Struts RCE
  • WordPress error log disclosure
  • WordPress wp-rich-snippet XSS
  • WordPress all-in-one-schemaorg-rich-snippets XSS
  • WordPress apptha-slider-gallery XSS
  • WordPress apptha-slider-gallery SQL injection
  • WordPress backup-with-restore Database Disclosure
  • WordPress wp-database-backup RCE
  • Joomla! vikappointments SQL injection
  • Joomla! vikrentitems SQL injection
  • Joomla! vikrentcar SQL injection
  • Joomla! simplemembership SQL injection
  • CKEditor wiris plugin XSS
  • AWS S3CMD header information disclosure
  • Concerto fingerprinting and XSS module
  • Publicly exposed Lynk Zipper

Happy scanning!
The Disposable mail Team

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests April 11, 2017: WordPress, Joomla, and CGIemail – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • Joomla! Xtex theme XSS
  • WordPress wp-form-builder XSS
  • WordPress spider-calendar SQL injection
  • WordPress webplayer SQL injection
  • CVE-2017-5616: cgiemail XSS
  • WordPress whizz CSRF

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests April 28, 2017: Hubspot and TenderApp – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • Full Path Disclosure Vulnerability Hubspot
  • Unauthenticated Remote File Inclusion in flickr-picture-backup WordPress plugin
  • Open Redirect in TenderApp

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

6 months after the launch of Disposable mail Crowdsource: What has happened so far? – 10 minute mail

Disposable mail Crowdsource was born almost 6 months ago, and a lot has happened since then. Kristian Bremberg, Community Manager, who spends his days coordinating almost 100 top-ranked ethical hackers and building their submissions into our scanner, has summarized the first 6 months with Disposable mail’s security platform Crowdsource.

Kristian Bremberg

Kristian Bremberg, Community Manager

What is Crowdsource?

Crowdsource is a security platform with ethical hackers from all over the world helping us make the Internet more secure. Only the most skilled hackers are invited to join the platform because we aim to make Crowdsource a tight-knit community that can really make a difference.

Crowdsource works just like a bug bounty program, but instead of submitting vulnerabilities on specific websites, we are interested in security issues that can affect many more websites. The submissions Disposable mail get from hackers are reviewed, and then implemented into Disposable mail’s scanner and tested on all our customers.

What have we found?

The scope is wide both when it comes to vulnerability types and software. Crowdsource submissions have generated more than 4000 hits, including vulnerabilities like remote code execution, SQL injection, cross site scripting, cross-site request forgery, open redirect and information disclosure.

We have received almost 200 submissions from the hackers in our platform, with a 75% accept rate*.

The majority of the submissions are WordPress vulnerabilities, followed by Joomla! vulnerabilities in 2nd place, Drupal (3rd) and Magento (4th). The most common vulnerability type submitted is XSS, followed by SQLi, Information Disclosures and RCE.

*Submissions that are verified as valid and implementable. Some are not implemented because they are duplicates, auto-patched or the software is removed (e.g WordPress plugins).

Who has joined Crowdsource?

Crowdsource researchers have their own unique style; some submit vulnerabilities affecting content management systems, some focus on misconfigurations and some on enterprise systems. We have spent a lot of time handpicking ethical hackers with a lot of potential and the right skillset. Email us if you are interested in joining, or check out this blog post where we have explained what we look for in a Disposable mail Crowdsource hacker.

Peter Jaric, Ethical hacker

Many of the security researchers wish to remain anonymous, but we got the chance to interview one of them: Meet the Hacker: Peter Jaric, Software Developer: “I got two board games for the first bug I reported”

You can also read a write-up by our 14-year old guest blogger and Disposable mail Crowdsource hacker Karim Rahal who discovered and reported a stored XSS vulnerability that affected over a million websites. Disposable mail was able to help Karim contact the developers behind the vulnerable plugin and the story was picked up by tech sites like The Next Web.

The next web Karim Rahal Disposable mail

The future of Crowdsource?

The future goal of Crowdsource is to build a healthy community where researchers with different focus and knowledge can make the internet more secure by sharing a wide range of different vulnerabilities.

As Crowdsource continues to grow, we aim to continue bringing in the best researchers in the world, and with their help build the most up-to-date security scanner in the world.

Interested in joining Disposable mail Crowdsource or have any questions about the initiative? Drop Kristian an email: hello [at] detectify.com


Utilize our hacker community to test your site – Sign up for  a free trial now!

Disposable mail Crowdsource approaches bug bounties in an innovative way, focusing on platforms instead of specific clients. When a researcher submits a vulnerability to us, we build a module for it and integrate it in the Disposable mail service. Run a scan with Disposable mail, and get direct access to a global competence pool of top ranked security researchers!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Newly added security tests June 8, 2017: Adobe ColdFusion – 10 minute mail

To bring you the most up-to-date security service and help you stay on top of threats, we update Disposable mail on a regular basis. Here are some of the latest security tests added to the tool:

  • Adobe ColdFusion Admin Panel Disclosure
  • CVE-2010-2861: Adobe ColdFusion Path Traversal Open Redirect in TenderApp
  • CVE-2017-5638: Apache Struts Content-Type RCE

Happy scanning!
The Disposable mail Team

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to become a Disposable mail Crowdsource hacker – 10 minute mail

Disposable mail Crowdsource is a platform where hackers can submit vulnerabilities in web applications. Their findings are reviewed by our security team, and built into our web security scanner so that our customers can test if they are vulnerable. For each unique hit we find on one of our customers’ websites, the hacker earns a bounty.

The platform has been running for more than 6 months, and during this time, hackers from all over the world have helped us make the Internet more secure. Since the platform’s launch, we have gotten a lot of interest from hackers around the world. With this article, we would like to shed some light on how you can get the most out of Crowdsource and what qualities we look for when we handpick hackers to join our invite-only program. Here’s how you can do good while making money!

The skillset of a Crowdsource hacker

Many hackers interested in joining Crowdsource ask us how they can earn money on the platform. Researchers get monetary rewards for each unique hit, which is why the most successful submissions are those that affect many systems and generate a high number of hits. Their popularity will increase the amount of hits, and the researcher gets a monetary reward for each unique target that is vulnerable.

Submissions with a high severity (SQLi, RCE, SSRF) will both earn many points on the leaderboard and generate hits faster while submissions with low or medium severity (XSS, CSRF, Open Redirect) often have a stable increase of hits over time. For example, one hacker submitted an open redirect in a very common Flash file. Because this Flash file was included in many content management systems, the vulnerability affected many of our customers which lead to a high bounty (over 1400 dollars in total) over a two weeks period.

Every Crowdsource hacker has a unique style and focus. All Crowdsource hackers have their own style and focus. Some prefer submitting vulnerabilities in common content management systems such as WordPress, Joomla and Drupal, while others prefer huge or small enterprise products like JetBrains and Solr. Some hackers focus on misconfigurations which can affect most systems regardless of which web application is used.

We see a wide range of both new and old techniques for finding and exploiting vulnerabilities. It can be a vulnerability with low severity where many sites are affected which will increase the amount of hits.

As you can see, Crowdsource offers plenty of opportunities to submit vulnerabilities with the potential to generate a lot of hits! It’s all up to the hacker which tactic that is preferred when submitting vulnerabilities to Crowdsource – however, we are mostly looking for hackers that are really knowledgeable in specific products and areas. Right now we are interested in Magento, WP, and .net/episerver researchers.

How to become a (good) Crowdsource hacker

Crowdsource invites hackers with a good reputation who follow responsible disclosure policies, which is why blackhat methods are not accepted because they do not follow a responsible disclosure policy. Once we have accepted the request you can go right ahead, create an account and start submitting vulnerabilities!

When you submit a vulnerability, you don’t need to write a highly detailed description; all we need are details showing how to exploit the vulnerability. If you submit a proof of concept, that’s even better! Before submitting a vulnerability you should make sure it’s not a duplicate. Take a look at the list of all modules so you don’t waste time submitting something that has already been submitted by someone else.

If you think you are the right person for Crowdsource, you can simply request an invite! You can do so by sending an email with a short introduction to [email protected]

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.