New web targets for the discerning hacker

Bug Bounty Radar, September 2019

HackerOne’s bug bounty challenge with the National University of Singapore (NUS) has come to an end, with 13 valid vulnerabilities in NUS’ digital infrastructure safely reported by students and US$4,550 awarded in bounties.

It’s the second time HackerOne has partnered with a university to help students secure its systems, following a similar event in 2017. The company says it now plans to make it an annual event.

HackerOne is not the only bug bounty platform to team up with a university this month, with YesWeHack holding a workshop with Singapore Polytechnic.

Around 30 students working towards a diploma in infocomm security management took part in a live experience to discover vulnerabilities and bugs in two selected applications. The students found nine critical vulnerabilities, with one successfully gaining full admin rights to one of the apps.

In military hacking news, the US Air Force plans to encourage hackers to hijack an orbiting satellite at the DEF CON hacking conference next year. Participants will attempt to take control of the satellite's camera, either through the ground station or directly, using an emitter.

Over in Europe, the final report into the Swiss Post ‘public intrusion test’ has been published. Researchers discovered 16 low-impact vulnerabilities, netting them a total of just $2,000.

One researcher did rather better earlier this month, when he discovered serious security flaws in a developer version of Google Chrome. Securitum’s Michal Bentkowski uncovered the issue with the browser’s experimental ‘portal’ element, winning him a bounty of $10,000.

Even happier is Terry Zhang, who has scooped $40,000 for his discovery of an auth issue on the main login endpoint of Microsoft Cloud.

Meanwhile, exploit acquisition platform Zerodium has upped its rewards for mobile exploits, making Android exploits more lucrative than those for iOS attacks for the first time.

And, finally, PayPal is celebrating its first anniversary on HackerOne, having paid out more than $1.5 million in bounties and resolved over 300 vulnerabilities.

September saw the arrival of several new bug bounty programs. Here’s a round-up of the latest targets:

Mixin

Program provider:
HackerOne

Program Type:
Public bug bounty

Max reward:
$7,500

Outline:
Mixin, a peer-to-peer transactional network for digital assets, is asking security researchers to test it mainnet code for security flaws.

Notes:
The organization has created a public testnet for hackers to use, and is paying out up to $7,500 for the discovery of critical vulnerabilities.

Visit the Mixin bug bounty page at HackerOne for more info

Pixiv

Program provider:
HackerOne

Program Type:
Public bug bounty

Max reward:
$3,000

Outline:
Pixiv is an online community platform for creators around the world. Through the company’s new bug bounty program, researchers have been asked to hunt for a range of security flaws, including remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and account takeover.

Notes:
Pixiv said business impact is an important factor in how the company rates the severity of a specific issue. “Please try to consider how a weakness could affect our business and add this to your report,” it said.

Visit the Pixiv bug bounty page at HackerOne for more info

Razer

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
Gamers’ lifestyle brand Razer has rolled out an expansive bug bounty program that puts dozens of the company’s web assets up for testing.

Notes:
Out-of-scope issues include clickjacking, unauthenticated CSRF, attacks that require physical access to a device, and man-in-the-middle attacks, among others.

Visit the Razer bug bounty page at HackerOne for more info

Xfinity Home (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Comcast-owned Xfinity Home is pegged as a complete security solution for domestic environments. The reward range for critical severity vulnerabilities was originally capped at $3,500, but this program has now been enhanced.

Notes:
Comcast may now reward up to $10,000 to hackers who can bypass armed systems or gain remote access to cloud storage videos.

Visit the Xfinity Home bug bounty page at Bugcrowd for more info

Other bug bounty and VDP news:


To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Additional reporting by James Walker.


RELATED Bug Bounty Radar // August 2019