I had lot’s of interesting questions at the end of the talk which showed me lots of interest in the bug bounty industry.
I also I would like to thank the BSides Lisbon organization because it was a awesome event. I met so many interesting people and got the opportunity to be with my great friends.
Awesome talks in both tracks and lot’s of networking and hacking on the lounge areas.
I asked for full-disclosure of this reports so other users can learn something from it.
The OLX security report was also mentioned on a portuguese media site- Future Behind. If you know portuguese language feel free to read it.
This Summer my country – Portugal – is being devasted with wildfires in Portugal mainland and Madeira archipelago. More than 3000 firefighters made a huge effort to protect people and the forest. Most of them are volunteers so this is my small gift to them… I made a small donation to the local volunteers firefighters.
Guys I’ll be a speaker at BSides Lisbon 2016 with the talk – “The way of the bounty”.
If you want to know some of my tips and secrets on bug bounty programs don’t forget to schedule in your calendar – 11th November.
Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue.
In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust.
Vendors don’t trust researchers.
Researchers are loosing trust on vendors. We need to fix it.
I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application.
In my opinion these are the main issues:
Lack of information on where to report a security issue
Security report gets lost in their support system
The vendor don’t reply back or just say it will be forward to the developing team
Vendor don’t update the security status
Researcher could even get threatened about the report
But not all vendors are like that. I already tried different approaches who seemed to work.
Email the vendor giving them a small presentation telling who you are and ask for the right person to deal with a security threat
After you got the email, try to schedule a online chat or even Skype meeting to establish some kind of trust between both parts.
Talk about that you found, the consequences and a possible solution.
If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them.
You as a researcher have the responsibility to prepare the path and improve the communication between vendors.
Don’t give them hell! Give them trust!
Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like:
We’re working on it. It will take some time, maybe weeks or months…
Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues.
It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days.
This type of situations are not good for the business. Vendors must respect the researchers and visa-versa.
Well this are my thoughts about this, feel free to share yours in the comments section.
Found this vulnerability when auditing other client. With this RFDÂ you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.
Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.
I tried successfully with the following browsers:
Firefox latest version
Opera latest version
Internet Explorer 8 and 9
What are the limitations?
I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.
Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]
Possible attack scenario:
Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
Victim downloads the file and execute it.
After execution of the batch file it will logoff the victim from the operating system.
I made a small video that illustrates my proof-of-concept:
Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.
As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:
I’ve been blessed with the opportunity to help others in need so yesterday I delivered more food to a local animal shelter.
I was received with a big smile and warm hug from the shelter owner. I also had the chance of checking a 22 year old female dog called “Docas”. Such a sweet thing 🙂
Also I contributed with the yearly maintenance of the web hosting and domain of a public health institution. They care so much for their patients and give their best everyday so I decided they deserve a small help from my part.
Helping others is something that we all should do. You don’t need to donate money.
Sometimes just listening is helping…
This website uses cookies to improve your experience. No personal data is stored. I'll assume you're ok with this, but you can opt-out if you wish.AcceptRejectRead More
