MonkeHacks #38

This week I’m back in Ireland. I’m here for one week or so, and then I’m flying back to Scotland, where I need to start moving my stuff from my current place to my new place. It’ll be a busy few weeks, but thankfully it’s all good change.

It was a week of ups and downs for bug bounty. I had some unexpected bounties pay out, and not pay out. I got some good work done, but it wasn’t as fruitful as I’d have liked - not that the time was wasted or anything, but the monetary gain from it has not come yet. As far as Novembers go, this has been a really good one so far.

Weekly Ideas / Notes 

• This week I gave a talk on bug bounty to Edinburgh Napier University’s ENUSEC (cybersecurity society) alongside Mikey. It went well, and the people there are great. It was ages since I last gave a talk, so it was a nice refresher.

• I really think that the other platforms need to follow in the footsteps of HackerOne, or cooperate together, and define a set of Detailed Platform Standards that outline exactly what should be done in each situation.

  • This week, mikey96 and I reported a large number of vulnerabilities to a platform with different fixes required for each. Unfortunately the platform AND the customer both decided to self-duplicate the vulnerabilities into one submission and reward a fraction of the overall value of what we submitted to them. As of right now, hackers have no way to protest against decisions like this, which is really harmful to the overall prospects of the industry, particularly in cases like this one where my sole income is reliant on the honesty of these companies. We shouldn’t have to expect to be screwed over. There is no point in bringing new hackers into this space if you cannot solve the problems that have been pointed out dozens of times by veterans over the years.

• In good news - I got my first bounty from the Google VRP for a systemic issue I discovered in numerous cloud platforms. They paid $5,000 - which is very kind of them. It’s a simple but interesting issue that I hope I can disclose someday, when it’s somewhat fixed. I would very much recommend Google as a target. They provide updates regularly until triage (i.e what the current state of assessing the finding is) and the payout speed is a reasonable 1-2 months.

• I signed up for the jswzl free trial. A vast amount of what I do involves JS code analysis, so I’m going to do a review of this platform in 2 weeks time. If they approve my trial request.

• Gareth Heyes released a new way to exploit XSS in hidden inputs;

  • <input type=hidden oncontentvisibilityautostatechange=alert(1) style=content-visibility:auto> 

Resources

• EV Code Signing with PFX in 2024: A fun writeup that’s far outside of my expertise, but was an entertaining read nonetheless.

• Hacking Millions of companies around the world with 10$: A Massive Software Supply Chain Attack: A great writeup from Lupin again, spreading awareness of some supply-chain attacks. I believe (but don’t quote me on this) that NPM have taken some steps to prevent account takeovers via expired emails on NPM itself. That trick with secondary Github emails is genius, though.