Undetected e.02 recap: Fredrik N. Almroth – Bug Bounties – 10 minute mail

Bug bounties – some argue that this is one of the buzzwords of the decade in the cybersecurity industry. Whatever you want to label it, it’s a trend that we can’t ignore these days. A lot of companies are taking part in it, so what’s it all about? 

There were many valuable soundbites to take from this, and especially from podcast guest, Fredrik N. Almroth (@almroot) because he’s hacked all the tech giants and more. If you can name it, he’s probably hacked it. We’ve taken highlights from this bug bounties episode, and the dialogue has been edited for brevity. Let’s dive in:

Disposable mail Co-founder and security researcher Fredrik Nordberg Almroth

Image: Fredrik Nordberg Almorth, Disposable mail co-founder and world-class bug bounty hunter

Undetected – a web security podcast is a Disposable mail production that uncovers different depths of web security. You can listen to the full length of Episode 2 on SimpleCast or your preferred podcast platform. The video version is also available online.

Fredrik and his take on the evolution of web security

Fredrik: Well, I’m a security researcher and co-founder of Disposable mail and… I hunt for bug bounties, which kind of correlates to how we do things in Disposable mail. I started already in high school … when I met my fellow co-founders of Disposable mail. By that point we realized that, well the Internet is quite broken. This was back in 2006 when we first met and by 2008, we decided to start a consultancy business doing penetration testing. But one thing led to another and we started automating things and this idea kind of grew. So we all went to university and dropped out one after another. And by this point, some ideas started to stick, like crawling is pretty good to find your URLs on the website and if you have query parameters in URLs then you can start looking for SQL injection.

Then Cloud started becoming a buzzword around here in Sweden. So we figured why not make a new company doing something else.

Laura: We have taken quite huge strides when it comes to security in these past few years as well. How do you feel that automation, for example, played into this?

Fredrik: You can say that some vulnerabilities come and go, SQL injection was a lot more out there a couple of years ago, but now it’s mostly been abstracted that way by different frameworks and so forth. But at the same time, you now have like server-side template actions, and it’s basically the same kind of injection attack state. 

They come and go, but in different forms over the years. Now there’s more out on the internet, more services, more technologies in general. There are more things, hence more things can break, but at the same time, the vulnerabilities that exist back then, are not as common nowadays except for XSS.

Laura: It (web security) really evolved and the hacks in general. The Tesla hack you did was a cross-site scripting attack. Right?

Tesla DOOM DOM XSS

Fredrik: Tesla was running Drupal at the time, and Drupal was bundled with a “what-you-see-is-what-you-get” kind of editor called CK editor, and this library bundles with an example file. So using this example file you could do a drag-and-drop XSS where you can drag something that looks okay on one website onto some other place, and it executed in Tesla’s origin… And then you have cross-site scripting – Tesla DOM DOOM XSS. So what I demonstrated was you could play Doom on Tesla’s website, and I replaced the entire window with the game Doom.

Laura: That sounds like fun. Couldn’t play Doom anywhere else?

Fredrik: Yes, it’s, well I packed away this payload because it was fun. So I use it every now and again in various cross-site scripting demonstrations.

Getting read access on Google

Laura: Also a bigger vulnerability that you found previously was back in 2014 when you found an XXE vulnerability in Google. Basically you were able to run your own code on Google’s server. 

Fredrik: While the company wasn’t low on cash yet, Mathias Karlsson (a co-founder) and I figured that bug bounty actually works as a way to collect some money. So what’s the most bang for the buck? What companies are out there that we can hack and get the most money for the least amount of effort? Facebook or Google.  

Well, Facebook is not very fun to target, so we went for Google. Our approach was: we should find the newest features and products or go for the really old legacy stuff that they might’ve forgotten. So using Google search itself, we found a feature that dated earlier than 2008 called the Google toolbar button gallery. So if you remember this way back in the Internet Explorer, you had this toolbar from Google and companies could upload their own buttons to this toolbar and that was the feature we attacked. This was an XML file uploaded to Google.

You as a website owner could add your own button to the toolbar so that other users could find you. This button definition was an XML file and quite frankly, you can do a lot of weird things in a plain vanilla XML file, and an external entity is one of those.

Fredrik: We uploaded a file and gave it some name and description, etc, but we added a definition that instructed Google to try to read another file from their local file system. So we tried to pull the normal user file on Unix systems and uploaded it and it worked. But we asked, “Okay, did anything actually happen?” 

We made another attempt where we changed the title to something like “hello world”, and then searched on Google or for toolbar buttons containing “hello world.” … meaning we searched for what we just uploaded.

Laura: That’s kind of like local file inclusion.

Fredrik: Yeah, that’s basically the impact. We got read access on Google.com. This was quite fun. So from start to stop, it took us four hours to identify, exploit and have it reported.

Start of bug bounty career:

Laura: Were these all bug bounty programs or were they public programs that you enrolled in or how did you stumble across these?

Fredrik: This was about the time that we actually founded Disposable mail and bug bounty started becoming something you spoke about on Twitter. So Google, in my world, was the first company I saw that had this kind of policy, meaning anyone can hack Google. If they manage to do it and Google accepts it as a new unique vulnerability, you get money for it and afterward, you can speak about it. As an early-stage startup, this was nice to have some material to be seen and heard.

Laura: How did people react to your work on bug bounties back then?

Fredrik: It varied. People in Silicon Valley know about this as that’s kind of where this entire industry started. But over here in Sweden, it was unheard of that this was even a possibility. For example, a friend’s friend of mine happens to work for the Swedish Police and I told him about the Dropbox hacking event which I attended in Singapore, and his response was, “What? You can’t do that? That’s criminal.” I said, “No, no, no, you missed the point.” I had to elaborate a bit on what bug bounty is and so forth.

Laura: In our bubble of Infosec, everyone knows what a bug bounty is or what responsible disclosure is, but outside of this immediate bubble, it is not that obvious. What is your short description of bug bounties?

Fredrik: Bug bounty is freelance penetration testing in a way. Anyone on the Internet can go to a company, find a vulnerability and have a streamlined process of reporting it to the company. If it’s a unique vulnerability and you are the first one to submit it, then you get a monetary reward at the end. Now we have platforms and marketplaces to facilitate this among vendors and researchers such as Bugcrowd, HackerOne and Synack.

Laura: Yes and bug bounties are offering a [monetary] reward in exchange for the vulnerability report or swag.

Responsible Disclosure Policy – that’s all it takes:

Laura: These bug bounties have basically lifted hackers out of the darkness, and now hackers can actually talk about what they have found. They can disclose it, depending on the program. It’s also shedding a more positive light on hackers.

Fredrik: Indeed. But I think it’s quite important to speak a bit about Responsible Disclosure programs as well, since it’s basically the first stepping stone to do something like this. It could be as simple as having an email address or a contact form where someone can submit vulnerability information. That’s all it takes.

More often than not, you (an ethical hacker) know it yourself that there are vulnerabilities all over the place, but it can be quite tricky to report it.

And you (application owner), you don’t always have to offer swag or money. You just have a channel to accept it.

Laura: A common practice out there is putting a security.txt file in your domain so that people find the contact information of your security personnel there for reporting.

Is this the minimum thing that a company should do in terms of Responsible Disclosure?

Fredrik: Security.txt is a very good starting point. With that, you can set up a [email protected] email (to receive reports).

Laura: So you don’t need to go on a commercial bug bounty platform and open a program there?

Fredrik: No, I think that should come a bit later once you have matured your security processes, so you know what you get basically. It can be quite overwhelming if you go directly to one of these platforms, open a bug bounty publicly to the world because everyone will start reporting straight away.

Laura: Do you think that a company who enlists in a public program will get a ton of reports right from the get-go?

Fredrik: More in the beginning, and then it should probably slow down.

Laura: Would it make sense then to do some kind of security assessment before that?

Fredrik: Yes. I think you should only start with a Responsible Disclosure Policy. 

Once you’ve had your pentest reports, some automated scanning and an organization that can handle the security reports, then you should consider a Responsible Disclosure Policy or a private bug bounty program. After that, you could make it public.

Laura: Do you feel that offering a bug bounty program is appropriate for all sorts of companies out there?

Fredrik: Yes, I think so as long as you have some kind of online presence. But it has to be something technical. It’s quite hard to have a bug bounty otherwise. Even manufacturers of hardware, for example, are growing with IoT applications. These could open up as bug bounty programs.

Laura: Yeah. I’m just trying to think of something that wouldn’t have an online presence these days.

Fredrik: But Everything has, right?

Laura: Yeah. Everything has at least a company website, if nothing else.

Fredrik: Exactly. You always have something important to your business and you can probably make a bounty program around that. Ask yourself what you are trying to protect. Say you are Dropbox. The most sensitive things would be your users and their files, right? If you’re Apple, well, it’s basically everything, that’s a bad example I guess. For a bank, it’s probably the money.

So then it doesn’t really matter if it’s only one domain. That’s the scope for your program. You should really try to think about this, “what am I trying to protect?” and make a policy thereafter.

Setting the scope of your disclosure program:

Laura: You mentioned “Scope”, and the scope in a bug bounty program is defined by the company and it can be a domain or source code or some device.

Fredrik: Yes, it’s usually along those lines. It’s one or several domain names that can be mobile apps, GitHub repositories, etc. If it’s a hardware manufacturer, it could be their devices to sell to consumers. There are a lot of blockchain companies that would be attacking the blockchain technology itself.

Laura: What is the best scope for you as a bug hunter?

Fredrik: For me privately, the bigger scopes the better. Being a security researcher, you have a bit of an arbitrage. The more things that are exposed and that you can audit, the more things will break, as simple as that. The bigger the company, the easier it is in my opinion, and that’s because a bigger scope means more critical vulnerabilities and that’s more business impact. So it will help you as a company even more.

Laura: So what happens if you go outside of a scope in a bug bounty program?

Fredrik: That really depends on the organization. What really matters in a bug bounty program is the business impact that an outsider can have. So unless something is explicitly out of scope, it could be fine to report a vulnerability if it has a proven impact.

That’s my take on it. Although that could also be considered scope creeping if you do this.

Laura: What is scope creeping?

Fredrik: You go a bit out of scope and in again. For example, if you find something on Adobe and you go outside to some local subsidiary or something and then back into scope. More often than not, it’s generally accepted on these live hacking events. 

Laura: Maybe at the live hacking events, the overall environment is easier to control than hacking otherwise.

Fredrik: In these events, they collect a group of people to hack a company over a day or two in person. Then you have all the stakeholders at one place they can communicate about it.

Laura: Do some security researchers not report something if it’s out of scope and if it’s not that critical?

Fredrik: 100%. I really believe so. For example, Open Redirect is no longer on the OWASP Top 10. Finding an open redirect somewhere on a subdomain that might be explicitly out of scope and while you know it’s there, you wouldn’t report it with the risk of losing a score or a reputation or what-not on one of these platforms.

But at the same time ,if they have Oauth and misconfigured, I can use it to do some kind of authentication bypass or steal some sensitive tokens. Then all of a sudden you’re out of scope, then go in again, and you might have an account takeover and that would be usually considered critical.

And that companies would accept.

Laura: So it really depends on the impact and if you can demonstrate the impact.

Fredrik: Exactly. That’s, I think that’s the moral of the story. It’s the impact that matters. You need a proof of concept. Otherwise it’s kind of a void report.

Laura: Yeah. Because I used to work as a pentester and during an assignment you have limited time as well, so you don’t always have to provide the proof of concept. Pentesters look at it from a wider angle and they can see white box, the infrastructure, the servers and so on. So for me, it’s interesting how impact-driven the bug bounty community is. It’s a good thing.

Bug bounty is a growing industry

Laura: Bug Bounties have become a big industry but it has also gotten some criticism or scrutiny over how many active researchers there actually are, like this Dark Reading article by Robert Lemos on how bug bounties continue to rise. But the market has its own 1% problem

It’s kind of like the same as being a professional in anything, like a professional basketball player. And I think that was also something that was said here in Lemos’ article that was most likely a quote from Mårten Mickos that not everyone is going to succeed. And then there’s a group who succeed are really, really good at what they do.

Fredrik: Right. A lot of people are drawn into what they see on Twitter and the media that bug bounty is a growing thing. People go around on these live events where it’s an open environment and everyone always finds something critical, which is true. But to get there, that’s the hard part.

A vast majority might not have a professional take on how to report vulnerabilities, and then it might be people like yourself coming from pentesting background without experience on the same style of reporting.

Laura: … And having all of them rejected.

Fredrik: That’s the thing, right? If you go in with the mindset of a pentester, then I don’t think you would grasp it well, and it probably would be a bit discouraging. And once you get the grasp of it, then you need it to beat the rest that are in the game with vulnerabilities that will be accepted. So I think it could be a steep curve to get into.

Laura: You have been active since 2013 so you’re well ahead of people who are only starting out now. What are tips you have for beginners when trying out bug bounties?

Fredrik: Learn by doing. Submit reports and see how it works, and when it works. There are a lot of good resources out there and streamers that speak about how to do bug bounty, and educate people on what to look for.

Laura: What do you recommend?

Fredrik: I’m going to be a bit biased here, and recommend our fellow coworker, TomNomNom. I also like STÖK, a Swedish researcher.

Anything that Bug Bounties aren’t good for?

Laura: What is something that bug bounties are not really good for?

Fredrik: It’s not a silver bullet to your security. It’s a nice addition to an already quite mature organization in terms of security. It’s the many-eyes principle meaning you have more people looking and trying to break something – and someone will eventually be able to do that. 

If you start a bit premature with doing bug bounties as a company, chances are that it will be a bad experience for researchers. For example, it sucks for me if I report a vulnerability and it gets flagged as a duplicate. I’m probably not the first one to be flagged as a duplicate.

Laura: Or if the companies are slow to respond?

Fredrik: Yes. It must be horrible for the company as well. They get an overwhelming amount of reports as they can’t act on it fast enough, so then it’s not nice for anyone.

Start with private and then slowly expand the scope and amount of people that participate in your program and have it as an addition.

Laura: It’s a good way of getting rid of those low hanging fruit and understanding what you’re exposing there?

Fredrik: No, on the contrary. The bug bounty community will find all of it. They will find the XSS’s. If you can’t fix the XSS fast enough, then you will have a problem.

Laura: You will have multiple reports on the same XSS.

Fredrik: Yes, you will. The best researchers tend to go for more creative vulnerabilities and you want them to be looking deep into your system and catching hard-to-find things.

Laura: Do you think that all companies get equal treatment from bug bounty hunters as well?

Fredrik: No, I don’t think so. It’s absolutely a monetary interest. There are more and more companies joining these platforms, and there’s a limited amount of researchers that provide value. So then you have to compete with other programs to have researchers look at your stuff.

Researchers like big scopes

Laura: We’ve had multiple takeaways for our listeners in this episode already, but do you have any like one big takeaway for our listeners?

Fredrik: If you’re a company, start small, then expand. Researchers love big scopes, so try to reach that eventually. 

If you’re starting off with bug bounty hunting, don’t give up too soon. It takes time and practice to get into this, but it’s not impossible. Anyone can do it. Really. It’s just problem-solving.


Did you like the highlights of this episode? Check out the full episode in the web player. It’s also available on Spotify, Apple Podcasts, Google Podcasts or another preferred podcast platform.

——

Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Disposable mail works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Disposable mail a go? Start your 14-day free trial today.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers made $82 Million through Bug Bounties in 2019 – Disposable mail news


Hacking as a profession has now become a viable option for the hackers out there. Yes, you’ve heard it right, ethical hackers have made more than $82 Million in Bug Bounties held at HackerOne. To top that, the ethical hacking community on HackerOne has now reached over 600,000, with around 850 new hackers joining every day.
According to a ‘2020 Hacker Report’ published by HackerOne, a Bug Bounty platform in San Francisco, around 18% of the members are full-time hackers, whose job is to find vulnerabilities and assure that internet becomes a safe place for everyone.

On the HackerOne platform, hackers from across the world, 170 countries to be accurate, which includes India too, are working every day to ensure the cybersecurity of 1700 organizations, which include Zomato and OnePlus also.
The US tops the 2109 list in the earnings made by hackers through Bug Bounty with 19%, India comes second with 10%, Russia has 8%, China a 7%, Germany 5%, and at last Canada with 4%. These countries are the top 6 highest earning ones on the list.

According to Luke Tucker, who is the Senior Director of Global Hacker Community, Hackers are a global power working for a good cause to ensure the safety the connected society on the internet. The motivations for hacking may differ, but it is good to see that global organizations are embracing this new change and providing hackers a new platform to compete and grow as a community, making the internet a safe place for everyone, all together.
Hackers from various countries earned a lot more than compared to what they did last year.

Hackers from Switzerland and Austria made more than 950% earnings than last year. Similarly, hackers belonging to Singapore, China, and other Asian countries made more than 250% compared to their earnings of 2018.
Competitions like these Bug Bounty programs have helped Hackers land into respectful expert knowledge, as 80% of the hackers use this experience to explore a better career or jobs. According to the reports, these hackers spent over 20 hours every week to find vulnerabilities.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How I hacked Facebook and received a $3,500 USD Bug Bounty – 10 minute mail

Find out how our Security Researcher Frans Rosén hacked Facebook and found a stored XSS for which he received a bug bounty reward. 

I recently found a Stored XSS on Facebook, which resulted in a Bug Bounty Reward. If you want to know how an XSS could be exploited, you can read my colleague Mathias’ blog post about it. Anyway, here’s how it went down.

I was actually working on finding flaws on Dropbox to begin with. I noticed that when using their web interface there were some restrictions on what filenames that were allowed. If you tried to rename a file to for example:

'">.txt

it was not possible. You got this error:

Error message

But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems. Using this method I was able to find two issues with their notification messages showing unescaped filenames. I reported these issues to Dropbox, they patched it really fast and I was placed on their Special Thanks page for the responsible disclosure.

It didn’t end here. As I was testing out this stuff on Dropbox, I also tried to figure out how this issue could be connected with other services. I noticed their Facebook-connection and got curious on how it worked. It turned out that they had a pretty nice function going on there:

“Dropbox has teamed up with Facebook so that you can do cool things like add files from Dropbox to your Facebook groups or send shared folder invitations to your Facebook friends.”

Nice! I created a group, and found the connection using the “Add File” icon on the Group wall:

FB Add File

I selected the file that I synced to Dropbox, it was called: '">.txt and shared it. Nothing awesome happened except the file being shared.

But then, I clicked the Share-link on the entry.
Shared link stored XSS

BAM! The title of the entry was not escaped correctly and I was able to get the Stored XSS triggered. By using the files in my Dropbox I could inject script code that was executed on Facebook.com.

I reported this to Facebook directly using their Whitehat Vulnerability Reporting system, told them it was an urgent issue and how I managed to get it executed. The issue was at that time only affecting the Share-popup inside the Group page and could only be triggered by user interaction, serious or not, it was clearly not affecting all users on Facebook.

At the same time I started looking on the URL of this Share-popup:
https://www.facebook.com/ajax/sharer/?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first
This URL did not work if you tried it stand-alone. That was good, the XSS issue looked like it could only be triggered by user interaction. But then I started googling and found that you were able to create a Share-URL by using this format: https://www.facebook.com/sharer/sharer.php?

So I changed my URL to that format:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first

BAM again! If you were logged in into Facebook, the code was executed as soon as you visited the link. Bad. Really bad. I emailed Facebook again, explaining that you could actually trigger the XSS by only visiting a link.

I was also trying out if I could get other services to behave in the same way. Dropbox and Facebook had this special connection, so I was curious if this issue was isolated or if I could reproduce it by using another service.

Went to Pinterest. Created a Pin named:

'">

and shared it on Facebook using my test account. I pressed the Share button on it:

Share Button stored XSS

I was amazed – it had the same issue.

Facebook replied to me, asking me how I was able to place the files on Dropbox with that filename. I explained how this was done and also told them that the service that you shared from didn’t matter, it was a general issue with the escaping that created a vulnerable vector on the Share-page.

They responded and said that it was indeed the same issue and they should look into it ASAP.

In the meantime, I tried the link on different devices. My iPhone could not get the XSS executed. As soon as I visited the page, I was redirected to https://m.facebook.com and that page did not have the same issue. But I also realized that you could force Facebook to skip the redirect by using a parameter called m2w, so if I appended that to the URL:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first&m2w
I was able to trigger the URL on both mobile devices and on desktop. Another email to Facebook.

One day after that I noticed that the POC-link did not work anymore, it was finally patched. I told them I could not reproduce it anymore and it looked like it was fixed.

One day later I got this email:
Facebook Frans Rosen

Nice one!

Date range:

  • Initial report and the POC-link executing the XSS just by visiting: Dec 22
  • Explained the Dropbox-syncing and extended the scope regarding services and devices: Dec 27
  • Vulnerability fixed: Dec 28
  • Received message about the Bug Bounty: Dec 29

Frans Rosén, Security Advisor

 


Disposable mail is a fully automated web security scanner created by some of the world’s best ethical hackers. Give our free trial a whirl and check your website for vulnerabilities like Cross-site scripting »


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Responsible Disclosure Program | Disposable mail Blog – 10 minute mail

As of today, researchers can report security issues in Disposable mail services to earn a spot on our Hall of Fame as well as some cool prizes. The Disposable mail team has participated in most Responsible Disclosure programs out there and we felt the time is here to have one of our own.

But our service is made for finding web vulnerabilities, how come we need a Disclosure program? Well. Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we’ll thank you with some cool stuff and a place at our hall of fame page.

How does the reporting process work?

It’s a 5 step process:

  • A researcher sends a mail using the correct template to [email protected]
  • The researcher will get an automatic response confirming that we have acquired the issue
  • A support case is automatically created
  • The person assigned to the support case responds to the researcher, verifying the issue
  • The issue is patched and the researcher is showered in eternal

What bugs are eligible?

Any typical web security bugs such as:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What bugs are NOT eligible?

Any typical low impact/too high complexity such as:

  • Missing Cookie flags on non-session cookies or 3rd party cookies
  • Logout CSRF
  • Social engineering
  • Denial of service
  • SSL BEAST/CRIME/etc

So what are you waiting for?

Sign up for Disposable mail here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How we got read access on Google’s production servers – 10 minute mail

Few things are better than a good ethical hacking challenge and what could be more fun than finding a target that can be used against itself? Find out how the Disposable mail team hacked their way to read access to Google’s production servers.

To stay on top on the latest security alerts we often spend time on bug bounties and CTFs. When we were discussing the challenge for the weekend, Mathias got an interesting idea: What target can we use against itself?

Of course. The Google search engine!

What would be better than to scan Google for bugs other than by using the search engine itself? What kind of software tends to contain the most vulnerabilities?

  • Old and deprecated software
  • Unknown and hardly accessible software
  • Proprietary software that only a few people have access to
  • Alpha/Beta releases and otherwise new technologies (software in early stages of it’s lifetime)

For you bounty hunters, here’s a tip:

Google Dork

By combining one thing with another, we started Google dorking for acquisitions and products to antique systems without any noticeable amount of users.

One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.

Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such).

Fredrik read through the API specifications, and crafted his own button containing fishy XML entities. The plan was to conduct an XXE attack as he noticed the title and description fields were printed out when searching for the buttons.

The root cause of XXE vulnerabilities are naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms.

Nevertheless. The file got uploaded… and behold! First try:

/etc/passwd

Second try (for verification purposes):

/etc/hosts

Boom goes the dynamite.

What you see here is the /etc/passwd and the /etc/hosts of one of Google’s production servers. Our payloads served as a proof of concept to prove the impact. We could just as well have tried to access any other file on their server, or moved on to SSRF exploitation in order to access internal systems. Too say the least, that’s pretty bad.

We contacted Google straight away while popping open some celebration beers. After 20 minutes we got a reply from Thai on the Google Security Team. They were impressed. We exchanged a few emails on the details back and forth during the coming days. In our correspondence we asked how much the vulnerability was worth. This is what we received as reply:

XXE Meme

The bottles (or whatever it is that falls out), turned out to be worth $10.000, enough to cover a road trip through Europe.

tl;dr: We uploaded a malicious XML to one of Google’s servers. Turned out to be a major XXE issue. Google financed an awesome road trip for the team.

Thanks for reading.

Written by: Fredrik
Co-Author: Mathias

If Google can get hacked, are you sure your service is secure? Disposable mail is an automated security monitoring service that tests your website for over 700 vulnerabilities. Sign up for a free trial and check your site’s security»


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Guest blog: Karim Rahal on a Spotify playlist hack – 10 minute mail

This video demonstrates a cross site request forgery web vulnerability and a privilege escalation vulnerability in the official Spotify online service web-application. The vulnerability doesn’t require any user interaction for the exploitation of the privilege escalation which makes it near critical.

I came across the restore feature inside Spotify’s web application. The first thing that interested me was to find out how the feature really restored “deleted” playlists, so I went forward and captured the request with a proxy interrupting tool.

The Post content was as follows: playlist=spotify/user/(user)/playlist/(playlist)/

There was something interesting in the post content, the request was specifying the exact directory of the playlist.

I tried to change the specified directory from /user/karimmtv/ into /user/spotifydiscover and ran the request. The page then said “message”:”restored”.

I was shocked, but I was still doubting that anything actually happened, so I opened the Spotify launcher, and looking at my list of “playlists” I noticed a new un-named playlist. When trying to open it though, it would endlessly load.

I was about to give up, until I noticed how to glitch the renaming system in Spotify. Through double-left-clicking on the playlist 2 times, It allowed me to set a name for the “exploited” playlist. After setting a name to that playlist, the endless loading stopped and I could see a proper playlist, and It was by the user “spotifydiscover”.

I was astonished as I hadn’t actually planned on trying to exploit anything inside that restore feature but that moment of hope revealed an extremely critical vulnerability!

Follow up

When contacting Spotify they were first shocked by the revelation, but also very appreciative. They fixed the vulnerability within a week or so.

At the end of the day, everything is coded and developed by humans, and humans are not perfect, so there are always mistakes for security researchers like me to find and inform the vendor about. Mistakes that translate into vulnerabilities can lead to huge losses.

Remember, security comes first before functionality.
//Karim Rahal

The advisory of the vulnerability was first published on Vulnerability Lab back in September

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail’s Frans Rosén #2 on HackRead’s 10 Famous Bug Bounty Hunters of All Time – 10 minute mail

Disposable mail’s knowledge advisor Frans Rosén has worked with security research for many years, and is a top ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne.

Frans is also a frequent blogger at Disposable mail Labs, where writes about his security research. He talks at security events, raising awareness about information security and sharing his experience as a white hat.

Last week, we were happy to see that HackRead featured Frans on their list of 10 Famous Bug Bounty Hunters of All Time along with security researchers like Roy Castillo, Emily Stark and Shubham Shah.CaptureFrans

See the full list of Hackread’s 10 famous bounty hunters here. 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Inside the head of a white hat hacker – 10 minute mail

Yesterday, Disposable mail’s Knowledge Advisor Frans Rosén gave an inspiring talk about white hat hacking and web security at Computer Sweden’s event Säkerhetsdagen 2016 in Stockholm. His four recommendations to the audience were

1)Set up a security contact for your company as soon as possible

2) Establish a Responsible Disclosure Policy

3) Work with bug bounties, rewards and feedback to the security researchers that report security issues

4) Automation is a must when it comes to security

Watch his presentation here (in Swedish):

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 5: What is White Hat vs Black Hat hacking? And what is a bug bounty hunter/program? – 10 minute mail

Comparing White Hat to Black Hat hacking is kind of like comparing the good guys to the bad guys. White Hat hackers look for vulnerabilities and report them, whereas Black Hat hackers have a more mischievous agenda. They are the guys you usually see in the movies hacking a bank and stealing money. White Hat hackers are the people working to make the world a safer place – like your favorite team of hackers at Disposable mail!

Comment from our expert:
“White Hat hackers are security consultants and good hearted people that find vulnerabilities on sites and services and report them to the company to prevent them from being hacked in the future. Many companies offer ”Bug Bounty Programs” where they ask White Hackers to try and hack their sites in order to find loopholes, and in return they get a cash award for it.”

“The bigger the security breach they find, the more money the company is willing to pay. Hackers looking for those kinds of bugs and vulnerabilities on sites to get those kinds of awards are referred to as Bug Bounty Hunters,” explains Johan Edholm at Disposable mail.

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Kristian Bremberg, Disposable mail Crowdsource community manager: “Crowdsourced security gives researchers freedom” – 10 minute mail

The Disposable mail Crowdsource platform allows security researchers to submit newly discovered exploits and incorporate them into Disposable mail’s automated security service. At the heart of the initiative is the community of skilled web security experts from across the globe. We have talked to our community manager Kristian Bremberg about his background, the art of building communities, and the power of the crowd.

Kristian Bremberg, Disposable mail Crowdsource

How did you get into web security?
I have always been interested in integrity and personal data. So many people are online nowadays that there is a natural link between integrity and web security. I eventually became active in the web security community, both on Twitter and on various forums. I established one of Sweden’s largest online communities for security researchers and arranged meetups that brought people closer together based on their joint interest in web security.

How did you come across Disposable mail?
I knew of Frans Rosén and other security experts, which is how I found out about Disposable mail. I thought it was an interesting product and I knew the people behind it were fantastic researchers. Over the years, I have followed the company’s development and security research content, and also contributed by writing technical guest blogs for Disposable mail Labs.

What is crowdsourced security?
Crowdsourced security gives researchers freedom. Instead of having to reach out to companies one by one, which involves figuring out who to contact and informing them about an exploit, they can submit a module to Disposable mail Crowdsource. As soon as their submission is processed, they  know that their contribution will make an impact and help secure hundreds of websites. Disposable mail doesn’t just publish the vulnerability, but does something bigger with it by incorporating it into the scanner.

Based on your experience from building a web security community, what have you learnt about maintaining a community that functions well?
Communication is vital! Being able to understand what works and what doesn’t for the community members. It’s really important to listen to them and show them that their voice is being heard.

What does your role as community manager entail?
My key task is to communicate with researchers, listen to them, and encourage them to share feedback and ideas. There is also a more technical side to the role as I will be the researchers’ point of contact for questions related to module submissions, prioritized technologies and proofs of concept. I think the role fits me really well because I am interested in security and have experience in a range of programming languages, but I am also very social and enjoy communicating.

How can we reach out to the best ethical hackers?
It’s all about involving key personalities that play an important role in the community.

What makes Disposable mail Crowdsource unique?
The personal contact we offer researchers. We already have some well-established security profiles contributing to Disposable mail Crowdsource and we are working closely with them to build a tight-knit community, take time to get to know every researcher, and maintain the personal communication. On top of that, the platform allows researchers to reach out to a wider audience because Disposable mail has a global customer base. This way, submitting an exploit can really make a difference.

How is Crowdsource going to change Disposable mail’s service?
It will definitely improve the scanner, the modules will be even better because they will be updated more frequently and will cover more programming languages and technologies. It will also make a difference for the community; ethical hackers will see Disposable mail in a new light, as a company that understands how they work, allows them to contribute to the tool and gives them better reach.

To find out more about Kristian’s work, follow him on Twitter @dotchloe. If you have any questions about Disposable mail Crowdsource, let us know at hello[at]detectify.com!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.