Collaborate Disseminate
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text is… Continue reading How to proceed with a white-hat hacker claiming a vulnerability?
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an X… Continue reading How to proceed with a white-hat hacker claiming a vulnerability?
I’ve found that my website is using id_token and it contains user’s information. One of that is my phone number which I think it could be a sensitive information. Because, if the attackers are able to capture the request, the… Continue reading Id token contains sensitive information sent by Get method
My coworkers and I discovered a significant security issue in a popular cybersecurity tool, which shall go unnamed here for reasons that will become obvious.
We reported the issue to the tool’s vendor through their bug bount… Continue reading How to deal with responsible disclosure "catch and kill"
Google will shut down the consumer version of Google+ months sooner than planned after discovering a security flaw that impacted the privacy of some 52.5 million users, the company announced Monday. Google said in October that it would shut down the social media platform in August 2019, while also disclosing a bug that exposed non-public profile information. Monday’s announcement brings the farewell date for Google+’s consumer platform up to March 2019. The company said that an update to the platform last month inadvertently included a bug that affected a Google+ application programming interface (API). The bug existed for six days, Google said, and there’s no indication it was exploited before the company discovered it during standard testing procedures. In comparison, Google said it discovered the last Google+ API bug in March and disclosed it in October. The API is called “People: get” and it allows for developers using Google+ to request basic information associated with a user profile, like name, […]
The post New flaw prompts Google to shut down Google+ for consumers within 90 days appeared first on Cyberscoop.
Continue reading New flaw prompts Google to shut down Google+ for consumers within 90 days
Earlier this month, Dell detected and thwarted “unauthorized activity” on its network that was an attempt to extract customer names, email addresses, and hashed passwords from Dell.com, the computing giant announced Wednesday. “Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted,” Dell said in a statement. The attempted extraction occurred Nov. 9. The Round Rock, Texas, company said protections liked hashed passwords and mandatory password resets would limit the impact of any potential exposure. Hashing is the application of an algorithm that allows a web service to store an encrypted version of a password without storing the password itself. “Credit card and other sensitive customer information was not targeted,” and the incident did not impact any Dell products or services, the statement said. Dell said it had contacted law enforcement about the incident and hired a […]
The post Dell reveals ‘unauthorized’ attempt to extract customer passwords appeared first on Cyberscoop.
Continue reading Dell reveals ‘unauthorized’ attempt to extract customer passwords
I work for a university, where I am part of the team responsible for integrating a SaaS Learning Management System (eg: Moodle, Canvas) with the rest of the university’s systems.
Two months ago, I identified a CSRF attack, a… Continue reading What to do about vulnerability in a SaaS product I buy?
A company I used to work for developed a Point Of Sale system that also has an eCommerce portion. While working there, I discovered massive flaws with their security model.
Simply put, there is 0 server side validation.
An… Continue reading My old job has massive security exploits in their product, but they dont care
I recently learned about wpscan and the WordPress security, so I decided to try it with a blog from my company. As a result I got several serious vulnerabilities that must be fixed. I notified several responsible two weeks ag… Continue reading How long to wait before publishing a web vulnerability?
I’ve been writing about "responsible disclosure" for over a decade; here’s an essay from 2007. Basically, it’s a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly. When that agreement breaks down, things go bad quickly. This… Continue reading Oracle and "Responsible Disclosure"