New web targets for the discerning hacker

December proved to be a quiet one for bug bounty program launches.

But the added downtime during the festive period was clearly put to good use considering some of the impressive bug hunting this month.

A research team nabbed a $4,000 reward for a server-side request forgery bug (SSRF) in Snapchat’s ad platform.

The group – Ben Sadeghipour, Sera Brocious, and Brett Buerhaus – were able to show that an SSRF flaw in the messaging app’s Ads Manager platform created a means to exfiltrate data from Snapchat’s internal endpoints.

More specifically, they were able to develop a custom webpage configured to utilize DNS rebinding to access sensitive web endpoints including Google’s metadata service.

Days later, another security researcher netted $3,000 for discovering a cross-site request forgery flaw in job search website Glassdoor.

By exploiting the vulnerability, attackers could take control of jobseeker profiles – enabling them to edit their profile, add or delete CVs, apply for jobs, or add reviews – and employer accounts, in which they could post or delete jobs.

Taking the exploit one step further, an attacker had the potential to gain administrative privileges over a company’s Glassdoor account, although this would require some degree of social engineering, where the victim is lured into clicking a malicious link.

Elsewhere, a digital certificate vulnerability in Nintendo 3DS bagged one bug hunter $12,000.

The certificate validation flaw in the recently discontinued Nintendo 3DS handheld console created a mechanism to run manipulator-in-the-middle (MitM) attacks against gamers before it was resolved.

Finally, the delayed third edition of the US Department of Defense’s ‘Hack the Army’ bug bounty program is due to take place next month.

Hack the Army 3.0 – a collaboration between the US Army Cyber Command, Defense Digital Service, and vulnerability disclosure platform HackerOne – is scheduled to run from January 6 until February 17, 2021, or until funds are exhausted.


The latest bug bounty programs for December 2020

December saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Google Chrome V8

Program provider:
Google

Program type:
Public bug bounty

Max reward:
n/a

Outline:
Google is offering enhanced bonus rewards for vulnerabilities in its V8 Javascript engine.

Notes:
Although specific figures have not been released, Google rewards generously – the maximum payout on its VDP is $150,000.

Visit the Google Chrome bug bounty page for more info


HostGator LATAM

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
n/a

Outline:
Web hosting provider HostGator has launched a bug bounty program to check for vulnerabilities in its Latin American assets.

Notes:
Details on the rewards offered have not yet been made public, but there are plenty of assets to be tested. The only out-of-scope attack listed is cross-site request forgery.

Visit the HostGator LATAM bug bounty page for more info


SKALE Network

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
SKALE Network describes itself as “a fully asynchronous binary Byzantine Fault Tolerant consensus that incorporates BLS threshold cryptography and a Trusted Execution Environment (SGX) to provide performant sidechains that are 100% Ethereum compatible”. Researchers are encouraged to find vulnerabilities in four of its assets.

Notes:
Although the highest reward for critical bugs is enticing, it should be pointed out that the average payout is $150-$300.

Visit the SKALE Network bug bounty page for more info


US Federal Reserve

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
n/a

Outline:
The US Federal Reserve, the nation’s central bank, is asking security researchers to test its web applications. Hackers are asked to detect a vulnerability or identify an indicator related to a vulnerability and share or receive Federal Reserve information about a vulnerability or an indicator related to a vulnerability.

Notes:
There are a number of out-of-scope targets which should be checked before testing. Also, this is a vulnerability disclosure program (VDP), meaning it does not offer a financial reward.

Visit the US Federal Reserve bug bounty page for more info


WHO Covid-19 mobile app

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
n/a

Outline:
Researchers are asked to test the World Health Organization (WHO) Covid-19 mobile app for iOS and Android. The app itself is open source, and the WHO said it welcomed fixes for any vulnerabilities.

Notes:
The program is also a VDP which doesn’t offer a financial reward. Only the mobile app is in scope, not any of the WHO’s other infrastructure. DDoS attacks are also excluded.

Visit the Who Covid-19 mobile app bug bounty page for more info


Other bug bounty and VDP news:

  • Apple has lost its lawsuit against Corellium, a security start up that produces bug hunting software for iOS and MacOS products.
  • The UK Ministry of Defence has launched a bug bounty program, promising safe harbor for hackers.
  • A Romanian hacker called Cosmin has become the first to earn $2 million in bug hunting payouts, beating the $1 million record set by Argentina’s Santiago Lopez.
  • Twitter was fined €450,000 for breaching GDPR rules, after its bug bounty program unearthed serious privacy vulnerabilities.
  • And Chloé Messadaghi called for policy leaders to promote VDPs to “actively encourage independent researchers to help harden the security of both public and private sector entities”.


To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


READ MORE Bug Bounty Radar // November 2020