Hackers made $82 Million through Bug Bounties in 2019 – Disposable mail news


Hacking as a profession has now become a viable option for the hackers out there. Yes, you’ve heard it right, ethical hackers have made more than $82 Million in Bug Bounties held at HackerOne. To top that, the ethical hacking community on HackerOne has now reached over 600,000, with around 850 new hackers joining every day.
According to a ‘2020 Hacker Report’ published by HackerOne, a Bug Bounty platform in San Francisco, around 18% of the members are full-time hackers, whose job is to find vulnerabilities and assure that internet becomes a safe place for everyone.

On the HackerOne platform, hackers from across the world, 170 countries to be accurate, which includes India too, are working every day to ensure the cybersecurity of 1700 organizations, which include Zomato and OnePlus also.
The US tops the 2109 list in the earnings made by hackers through Bug Bounty with 19%, India comes second with 10%, Russia has 8%, China a 7%, Germany 5%, and at last Canada with 4%. These countries are the top 6 highest earning ones on the list.

According to Luke Tucker, who is the Senior Director of Global Hacker Community, Hackers are a global power working for a good cause to ensure the safety the connected society on the internet. The motivations for hacking may differ, but it is good to see that global organizations are embracing this new change and providing hackers a new platform to compete and grow as a community, making the internet a safe place for everyone, all together.
Hackers from various countries earned a lot more than compared to what they did last year.

Hackers from Switzerland and Austria made more than 950% earnings than last year. Similarly, hackers belonging to Singapore, China, and other Asian countries made more than 250% compared to their earnings of 2018.
Competitions like these Bug Bounty programs have helped Hackers land into respectful expert knowledge, as 80% of the hackers use this experience to explore a better career or jobs. According to the reports, these hackers spent over 20 hours every week to find vulnerabilities.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Eray Mitrani: Stumbling upon a new way to exploit authorization bypass in Jira – 10 minute mail

Eray Mitrani works for Nokia Deepfield where they are providing network analytics and DDoS-protections. He is also a security researcher in the Disposable mail Crowdsource community. In the following guest blog, he goes through the process of finding and submitting his first module to Disposable mail Crowdsource, which is an authorization bypass.

Disposable mail Crowdsource is our platform where external security researchers can submit web vulnerability findings to us. If we can validate the finding, we build security checks into the Disposable mail automated scanner and make it available to all our customers. For each customer profile finding generated, we pay the security researcher a financial kickback.

Photo of Eray Matrini

Barely a year has passed since I started teaching myself how to hack and mostly by iterating things other people have already done. Sometimes it is possible to get something to work without necessarily understanding all the reasons as to why it works. This write up is going to be about that sort of discovery which led to my first module on Disposable mail.

How it all began

It all started with Orange Tsai’s awesome research where he talks about a path normalization issue he found on Uber’s internal Jira instance in order to bypass their OneLogin.

Path normalization is part of how a URL is parsed server side. https://example.com/a/../b might for example actually be treated as https://example.com/b in some places, while kept in full in others. This difference often lead to authorization issues.

I was very interested in looking into Jira because it is a ubiquitous software, which means that one original find can lead to numerous bounties across many bug bounty programs. One example of this is CVE-2017-9506 where the SSRF affected many vendors and was easy to discover with a simple GET-request. I did some research using Shodan to see if people were still running old versions of the software and I found around 5% of the domains were still unpatched. That’s when I decided to see if I could build on the past research in order to contribute some modules to Disposable mail Crowdsource.

Keeping track with a recon folder

With that motivation in mind, I went to my recon folder where I keep track of all my bug bounty targets. Having this allows me to quickly look for newly published vulnerabilities in old targets I’ve already tested. As different hackers will have access to different private programs, it is always a good idea to quickly look for easily automated tasks there. I personally like to keep a .txt record of all active hosts on a target and directory structure in a different folder. This allows me to both track changes to past targets and look for new vulnerabilities I have picked up. For example, if there is a new Cisco vulnerability I can look for all subdomains that include the word “vpn” or in this case I did a `grep -r –include=*.txt “jira”` which gave me all subdomains that have the string jira in it.

I started looking at different versions of Jira deployed across bug bounty programs. Most up-to-date Jira instances nowadays will redirect you to Atlassian ID to login however I found one that would redirect you to login.jsp (their old login) regardless of which path you tried to visit under “/secure”.

Applying Orange Tsai’s technique

I knew Orange’s trick potentially allowed us to bypass redirects to login page like the case with OneLogin and Uber described in the article linked above. That’s why I tried it to access sensitive endpoints on Jira like /browse, ManageFilters.jspa and Dashboard.jspa. I couldn’t find any dashboards like his example but I was able to list all filters that were shared with “everyone” which includes unauthenticated users. This revealed employee emails, tickets that were being worked on and the company priorities.

Delving into the main issue

The main issue here is that the admin relied on the login redirect to hide filters and dashboards shared with everyone or wasn’t aware that sharing with everyone includes unauthenticated users as well. Also by default all email addresses are public information so by being able see filters and dashboards one can also get valid company email addresses. You can see the default setting looks like:

Recommended actions

If your Jira instance is not sitting behind a VPN, the best thing you can do is to avoid setting any permissions to “everyone” while setting up a new dashboard or shared filter as that would permit unauthenticated users as well. I would also suggest adjusting the “User email visibility” setting from “Public” to show to logged in users only.

Why it works is still a mystery

At this point I thought this would make an easy module to implement for Disposable mail as you only need two GET-requests to check for it. At first you should try to list the filters via the regular path and if that doesn’t work you can try the same thing with Orange’s `/status/..;/` trick. I was pretty confident that’s why this worked. However, after submitting the module to Disposable mail and discussing it with them, I realized /..;/ is actually not needed. I am still a bit unsure why /status/ is let through, but I would assume it has something to do with it the status-endpoint being accessible for unauthenticated users on most Jira-instances. In the end I think this serves as a great example on finding interesting things before fully understanding them.

Eray Mitrani
Twitter: @ErayMitrani

With Disposable mail you can check your website against this finding, and 1000+ other vulnerabilities submitted by the Disposable mail Crowdsource community, as well as our in-house research. Sign up today for a 14-day free trial, no credit card required.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the team: Laura Kankaala – Securing companies by breaking stuff – 10 minute mail

Finland native Laura Kankaala recently joined our Detectify as a Security Researcher to contribute with our aim to make the internet safer. Her hobbies include playing video games and reading. She’s also active within the security community as a speaker, podcaster and board member of Disobey hacker conference.

Laura Kankaala, Detectify Security Researcher

image: Detectify Security Reseacher Laura Kankaala

It began in Turku

Laura Kankaala was born in Turku where she studied IT at Turku University of Applied Sciences. She became curious about hacking while she was still in university. Early on when she was engaged with building and developing systems, she realized that she was far more excited to learn about how she could exploit these. However, at that time, hacking was branded as a gray area if not even an outright criminal activity so she never imagined making a career out of it.

From sysadmin to pentester

She began her career as an Identity and Access Management Consultant with Trusteq, and there, she was in charge of system administration and did a bit of coding here and there. When it was acquired by KPMG she was able to shift her career into penetration testing, which she believes helps her a lot when grounding and writing about security research. 

Regardless of whether she was red teaming or doing research, Laura’s motivation has been constant – focusing on end users. She elaborates, “…in order to protect the Internet experience for the users, we need to make sure that the applications and software they are using don’t contain vulnerabilities that could compromise their devices or leak their private information”.

Bringing ethical hacking to the public eye

Since then, the ethical hacking space expanded but Laura believes there is still a lot to do. She still believes that the way ethical hackers are perceived and even the ways that the vulnerabilities that this community discloses are handled, needs to be worked on. This is something she continues to push for and outside of office hours, she is spreading this knowledge to the public through her own podcast, We need to talk about Infosec. Her passion and credibility also earned her the opportunity to showcase how information in our connected society can be exploited in a TV documentary series with her ethical hacker mates, Team Whack.

Laura says: 

“There needs to be solid cooperation and understanding of common rules between the researchers and companies. There are cases when vulnerabilities found by researchers are not well-received by the company. There are other cases where the researcher doesn’t know the best way of contacting the responsible parties which cause problems for the researchers. Right now safe harbour and responsible disclosure policies work to some extent – but not all companies have them.”

She describes her work as simple as trying to break stuff – in this case, systems – and figuring out how they can be fixed or defended against someone else trying to do the same thing. In most cases, she works directly with companies or organizations to understand how to build code that is resistant to be broken.

Breaking things with eagerness to keep learning

Besides “breaking stuff”, what she enjoys the most about working in IT security is the constant learning journey and new ways of working thanks to the close collaboration with other security researchers and even the companies’ internal security teams. In Laura’s words: “At the end of the day, one task – regardless of its complexity – can always be solved in different ways and it’s always eye-opening and humbling to experience that.”

We asked Laura what it takes to work in this industry and she answered:

“Patience and eagerness to learn new things all the time are important skills that not everyone has mastered. That’s it, I’d say. Of course, it helps a lot if you like computers!”

She went on and explained that eagerness to learn new things all the time is crucial since the future of cybersecurity is uncertain and ever-changing. For example, she says: 

“The amount of data collected from users will keep increasing. Also, it seems that every electric device will become “smart”– a fancy word that stands for having Internet connectivity. Securing these devices and their backends will be a major undertaking, because these devices are already in use, but are very much lagging behind when it comes to security”.

There will always be a need for security researchers

Another exciting thing about this is that no matter how much the future of cybersecurity change, one thing is certain: there will always be a need for security researchers/ethical hackers to help companies and users to feel safer around their services and devices, and that is one of the reasons why Laura decided to join the Detectify family. 

“I want to fix the Internet,” she says, “and I think we’re a fun bunch of people doing great things together. I appreciate the flexibility, the challenges, and the atmosphere we’ve got going on. I believe that what we are doing will help shape both the future of cybersecurity and the ways ethical hackers (like Detectify Crowdsource) are seen.”  

Laura on automation: “automation serves us in two ways: it is basically a tool for making sure we clean out vulnerabilities before they even reach production, and on the other hand, it helps us to quickly act on when new vulnerabilities pop up or unnecessary attack surface is exposed, and fix it.”

Quick Q&A

Mac or PC? macOS – It’s Unix based.
Android or iOS? iOS
What’s your #1 security tip? Be curious and care about your privacy!
How do you keep up-to-date with tech and business? Twitter, Reddit – reading a lot overall!
What’s your favorite Detectify blog post? It must be some of the hostile subdomain takeover posts because those I remember reading even before I knew what Detectify was.


Detectify keeps growing by the day, which means that finding candidates who want to be part of driving change in a rapidly evolving cybersecurity space is our main priority. If you, like Laura, are excited about shaping the future of cybersecurity by “breaking stuff”, take a look at our open positions to join Laura in Stockholm! 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.