New web targets for the discerning hacker

New web targets for the discerning hacker

The ethical hacking community saw a big boost this month, with the news that the US Supreme Court has tightened up the definition of unauthorized access.

Previously, penetration testers and ethical hackers ran the risk of being deemed to have violated the Computer Fraud and Abuse Act (CFAA).

Now, though, the court has ruled that the act potentially criminalized “a breathtaking amount of commonplace computer activity”, and that violations only take place where data is accessed from prohibited files, folders, or databases.

In program news, Asian e-commerce giant Lazada has kicked off its first public bug bounty program with YesWeHack, offering up to $10,000 for successful vulnerability reports.

And in another first, the US Cybersecurity and Infrastructure Security Agency (CISA) has launched a federal civilian security vulnerability disclosure program (VDP) in partnership with Bugcrowd. Researchers are invited to test for vulnerabilities in Federal Civilian Executive Branch (FCEB) agencies.

Meanwhile, GitHub is aiming to become more bug-hunter-friendly, with an update to its policy on malware and exploit research. Dual-use security research and collaboration on GitHub is now explicitly permitted, though this permission will be withdrawn if abused.

In payout news, Indian bug hunter Mayur Fartade has netted $30,000 for revealing a vulnerability in Instagram that potentially exposed victims’ private content. The exploit involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints.

There was a $3,000 payout for Nepalese security researcher Samip Aryal, who discovered a vulnerability in Facebook’s Messenger Rooms video chat feature that allowed attackers access to a victim’s private Facebook photos and videos, and to be able to submit posts – even on devices that are locked.

And finally, a poll of security researchers who reported vulnerabilities through alternative channels has revealed that many flaws don’t seem to be being patched.

Belgium-based bug bounty platform Intigriti found that 12% believed their submission was not successful in reaching security teams, while 19% were unsure about the outcome.


The latest bug bounty programs for July 2021

The past month saw the arrival of just a few new bug bounty programs. Here’s a list of the latest entries:

Bunicorn

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$50,000

Outline:
Bunicorn, self-described as an automated market-making (AMM) decentralized exchange, is asking security researchers to help prevent loss of user funds by looking for both web security vulnerabilities and smart contract/blockchain flaws.

Notes:
Bunicorn has included a link to its smart contracts as well as a list of in-scope vulnerabilities. Some of the issues to look out for are any bugs that cause economic-financial attacks, remote code execution attacks, and SQL injection vulnerabilities.

Check out the Bunicorn bug bounty page at HackenProof for more details


Elementor (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Elementor, an open source WordPress plugin, has expanded its public bug bounty program.

Notes:
The targets for this engagement are the Elementor application, the primary Elementor website, and the Public API. The target web applications are WordPress instances. There is a fairly short list of exclusions, which should be considered before partaking in the program.

Check out the Elementor bug bounty page at Bugcrowd for more information


Microsoft Quantum

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$50,000

Outline:
Microsoft has launched its own bug bounty program, asking security researchers to attempt to break its SIKE cryptographic algorithm in exchange for big monetary rewards.

Notes:
The new target is being touted as a challenge, but is still subject to Microsoft’s bug bounty rules and conditions. There are prizes up for grabs for solving two of the algorithms instances, which can be viewed online.

Check out the Microsoft Quantum bug bounty page for more information


Other bug bounty and VDP news this month


Compiled by Jessica Haworth. Introduction by Emma Woollacott. Additional reporting by James Walker.


PREVIOUS EDITION Bug Bounty Radar // June 2021