New web targets for the discerning hacker

Bug Bounty Radar January 2022

The year was rounded off with claims that a patch issued by Microsoft for a drive-by remote code execution (RCE) vulnerability in Windows 10 failed to solve the problem.

The security flaw affected Windows 10 via Internet Explorer 11/Edge Legacy browsers and Microsoft Teams. However, said researchers from Positive Security, the vulnerability was still present in the operating system five months after the fix.

December also saw the discovery of critical vulnerabilities in open source forum platform NodeBB that could allow attackers to steal private information and access admin accounts.

The issues – a path traversal bug, cross-site scripting (XSS) flaw, and authentication bypass vulnerability – were uncovered by SonarSource and have now been patched.

Meanwhile, flaws in Tonga’s top-level domain left attackers able to modify the nameservers of any domain thanks to a vulnerability in the registrar’s website.

Luckily after web security firm Palisade disclosed the issue, the Tonga Network Information Center (Tonic) was able to fix the bug in under 24 hours, before it had been exploited.

A 19-year-old hacker from Nepal netted a $4,500 bounty for a Facebook flaw that allowed attackers to reveal the identity of page administrators. The researcher, Sudip Shah, says Facebook moved quickly to fix the insecure direct object reference (IDOR) vulnerability.

And Egyptian security researcher Momen Ali found a potentially serious server-side request forgery (SSRF) vulnerability in Russian search and internet services giant Yandex, earning a spot in the organization’s Hall of Fame.

Meanwhile, a report from bug bounty platform HackerOne revealed that it has received more than 66,000 valid vulnerability reports this year, up 22% from 2020 – while bounty prices for high severity and critical vulnerabilities are rising.

In program news, the US Department of Homeland Security (DHS) has launched a bug bounty with the aim of developing a model that can be used by other government organizations. The program, spread across the year, will consist of a pen test, a live hacking event, and a detailed review process.

And finally, Intel has launched a bug bounty program with Belgium-based Intigriti after switching from working with HackerOne. The payout ceiling for the most critical bugs has been raised from $100,000 to $150,000 on select lines of hardware and firmware.


The latest bug bounty programs for January 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Bitkub

Program provider:
HackenProof

Program type:
Public

Max reward:
$3,000

Outline:
Bitkub, a digital asset and cryptocurrency exchange, is asking researchers to find vulnerabilities in its domain and mobile apps.

Notes:
The company’s top three vulnerabilities are business logic issues, payments manipulation, and remote code execution, which will likely earn the maximum bounty for critical issues.

Check out the Bitkub bug bounty page at HackenProof for more details

Exmo

Program provider:
HackenProof

Program type:
Public

Max reward:
$3,000

Outline:
Cryptocurrency exchange Exmo, which was founded in 2014, is looking for reports on a number of targets for its web, API, and app targets.

Notes:
There are also a number of out-of-scope web targets, which should be consulted beforehand.

Check out the Exmo bug bounty page at HackenProof for more details


ATG

Program provider:
YesWeHack

Program type:
Private

Max reward:
TBC

Outline:
Swedish online betting website ATG has announced a new partnership that will focus on securing its gambling and games platforms.

Notes:
Although it is currently an invite-only program, ATG plans to expand to a public program at some point in the future.

Check out the ATG bug bounty page at YesWeHack for more details


Facebook (enhanced)

Program provider:
Meta (formerly Facebook)

Program type:
Public

Max reward:
TBC

Outline:
Meta, the parent company of Facebook, has expanded its bug bounty program to include scraping attacks.

Notes:
The new program will payout for loopholes in its anti-scraping protections and will also reward researchers who find Facebook data on the internet that has been collected via a scraping attack.

Check out the Facebook bug bounty page for more details

Braze (enhanced)

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
Customer engagement platform Braze has expanded its bug bounty program to the public.

Notes:
Braze’s web and API platforms are both in-scope, but be warned – any testing on out-of-scope platforms will result in a ban from any Braze bug bounty programs.

Check out the Braze bug bounty page at Bugcrowd for more details

Okex

Program provider:
HackenProof

Program type:
Public

Max reward:
$3,000

Outline:
Cryptocurrency exchange Okex is asking security researchers to find bugs in its web, API, and Android platforms.

Notes:
Okex’s top three vulnerabilities are also business logic issues, payments manipulation, and remote code execution.

Check out the Okex bug bounty page at HackenProof for more details


Other bug bounty and VDP news this month

  • The US Department of Homeland Security (DHS) has added Log4j to its Hack The DHS program.

  • Intigriti released a list of its Top 20 bug bounty YouTubers, which you can find here.

  • HackerOne has published its year in review for 2021, where hackers can share their stats and their goals for 2022.


Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2021