A bypass of Facebook’s SMS-based two-factor authentication (2FA) made it into Meta’s most impressive bug bounty finds of 2022.
However, it seems Facebook’s parent company initially didn’t fully appreciate the vulnerability, offering a $3,000 bounty before eventually revising the reward upwards to $27,200.
“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” security researcher Manoj Gautam told The Daily Swig.
In other bug bounty news this month, a hacker duo documented Google Cloud Platform (GCP) research that resulted in six payouts totalling more than $22,000.
The most lucrative find for Sreeram KL and Sivanesh Ashok led to a double $5,000 reward for a server-side request forgery (SSRF) bug and subsequent patch bypass in machine learning platform Vertex AI.
Outlined across four blog posts, their bug bounty exploits also included an SSH key injection issue in Google Cloud’s Compute Engine and flaws in Theia and Cloud Workstations.
Cross-origin resource sharing (CORS) misconfigurations were the focus of a third bug bounty writeup covered by The Daily Swig this month.
Exploits fashioned for multiple private programs – notably including Tesla – earned Truffle Security researchers a “few thousand dollars” and vindicated their hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS [cross-origin resource sharing] misconfigurations”.
Fresh hacking opportunities on the horizon, meanwhile, include The US Department of Defense (DoD)’s third annual Hack The Pentagon challenge and the Zero Day Initiative’s (ZDI’s) inaugural Pwn2Own Automotive, slated for January 2024.
The latest bug bounty programs for February 2023
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
8×8
Program provider:
HackerOne
Program type:
Public
Max reward:
$1,337
Outline:
The US provider of business communication technologies has invited hackers to probe its websites, mobile apps, and services such as Jitsi, its open source video meeting software.
Notes:
Despite the relatively modest top bounty on offer, 8×8 has already paid out more than $90,000 in bounties within a month of its launch.
Check out the 8×8 bug bounty page for more details
Hedera Hashgraph
Program provider:
HackerOne
Program type:
Public
Max reward:
$30,000
Outline:
Hedera Hashgraph describes itself as “a responsibly governed decentralized network”, with the Hedera Governing Council comprising “enterprises, web3 projects, and prestigious universities”.
Notes:
There are seven assets in scope including services and mirror node codebases, Java and JavaScript SDKs, testnet API endpoints, and testnet mirror node APIs.
Check out the Hedera Hashgraph bug bounty page for more details
Hyperlane
Program provider:
Immunefi
Program type:
Public
Max reward:
$2.5 million
Outline:
Hyperlane describes itself as a modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains.
Notes:
The life-changing maximum reward is on offer for critical bugs on smart contracts, whereas application flaws can command payouts of up to $20,000.
Check out the Hyperlane bug bounty page for more details
Kiwi.com
Program provider:
HackerOne
Program type:
Public
Max reward:
$5,000
Outline:
Czech online travel agency Kiwi.com provides a fare aggregator, metasearch engine, and booking function for airline tickets and ground transportation.
Notes:
In-scope targets include the main website, kiwi.com; tequila.kiwi.com; jobs.kiwi.com; source code; APIs and internal tools; and mobile applications.
Check out the Kiwi.com bug bounty page for more details
Net+
Program provider:
GObugfree
Program type:
Mix of public and private
Max reward:
CHF5,000 ($5,389)
Outline:
Netplus.ch, which provides internet, telephony, and TV services to more than 220,000 users in Switzerland, is paying between CHF 2,000-5,000 for critical bugs.
Notes:
New targets are initially restricted to the private program for a period of initial testing, before being opened up to the broader hacking community within the public program.
Check out the Net+ private and public bug bounty pages for more details
Open-Xchange (OX) App Suite
Program provider:
YesWeHack
Program type:
Public
Max reward:
€5,000 ($5,430)
Outline:
Open-Xchange’s OX App Suite is an open source email and productivity suite that purports to favor security by default rather than security through obscurity.
Notes:
Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.
Check out the OX App Suite bug bounty page for more details
Open-Xchange Dovecot
Program provider:
YesWeHack
Program type:
Public
Max reward:
€5,000 ($5,430)
Outline:
Dovecot is Open-Xchange’s IMAP, POP3, and submission server for email, used within multiple operating systems and by “millions of operators”.
Notes:
Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.
Check out the Dovecot bug bounty page for more details
Open-Xchange PowerDNS
Program provider:
YesWeHack
Program type:
Public
Max reward:
€5,000 ($5,430)
Outline:
PowerDNS is a DNS server that enables domain resolution and network security features.
Notes:
Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.
Check out the PowerDNS bug bounty page for more details
S-Pankki
Program provider:
HackerOne
Program type:
Public
Max reward:
$4,000
Outline:
The Finnish bank is offering up to $4,000 for critical vulnerabilities, $2,000 for high severity flaws, and $1,000 for medium severity bugs.
Notes:
There are 11 assets in scope, including nine domains plus iOS and Android mobile applications.
Check out the S-Pankki bug bounty page for more details
Superbet
Program provider:
HackerOne
Program type:
Public
Max reward:
$2,000
Outline:
The Romanian online gaming company is offering a maximum of $2,000 for critical bugs, $1,000 for high severity issues, and $250 for medium impact vulnerabilities.
Notes:
Just the one asset in scope: the.superbet.ro domain.
Check out the Superbet bug bounty page for more details
Swiss Bankers
Program provider:
GObugfree
Program type:
Private
Max reward:
Undisclosed
Outline:
Swiss Bankers is a financial services firm specializing in prepaid credit cards, mobile payment, and money transfer.
Notes:
Hackers can participate by invitation only.
Check out the Swiss Bankers bug bounty page for more details
Threema (Enhanced)
Program provider:
GObugfree
Program type:
Public
Max reward:
CHF10,000 ($10,778)
Outline:
Swiss instant messenger service Threema has upped maximum payouts from CHF4,000 ($4,311) To CHF10,000 ($10,778) after launching the program in May 2022.
Notes:
This news comes after the privacy-focused software disputed claims that there were several security flaws in its encrypted messaging platform.
Check out the Threema bug bounty page for more details
TRON DAO
Program provider:
HackerOne
Program type:
Public
Max reward:
$5,000
Outline:
TRON DAO is an open source platform for creating decentralized applications, new financial primitives, and interoperable blockchains.
Notes:
TRON’s Java source code is currently the sole asset in scope.
Check out the TRON DAO bug bounty page for more details
Wato-soft
Program provider:
GObugfree
Program type:
Private
Max reward:
Undisclosed
Outline:
Swiss IT services firm specializing in Enterprise resource planning (ERP) software.
Notes:
Hackers can participate by invitation only.
Check out the Wato-Soft bug bounty page for more details
Other bug bounty and VDP news this month
- An Amazon virtual hacking event with HackerOne was the platform’s highest paying virtual event ever, with more than 50 security researchers collectively earning $832,135. The 10-day hackathon’s overall winner was @jonathanbouman, while ‘Best Team Collaboration’ went to ‘spacebaffoons’ @the_arch_angel, @spaceraccoon, and (one time Daily Swig interviewee) @ajxchapman
- As referenced in our latest Deserialized roundup, Intigriti has flagged a Belgium-wide safe harbor clause in the country’s proposed whistleblower law, and a New Scientist feature on a mathematical means of demonstrating valid exploits without risking public disclosure
- Finally, YesWeHack has penned a how-to on using Burp Suite extension Highlighter And Extractor (HaE) to surface vulnerabilities via regular expressions
Copyright 2021 Associated Press. All rights reserved.
Source: https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-february-2023