HackerOne Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/hackerone/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 28 Dec 2020 21:57:04 +0000 en-US hourly 1 https://wordpress.org/?v=64290 200474804 Researcher Earned More than $ 2000000 on HackerOne https://gridinsoft.com/blogs/researcher-earned-more-than-2000000-on-hackerone/ https://gridinsoft.com/blogs/researcher-earned-more-than-2000000-on-hackerone/#respond Mon, 28 Dec 2020 21:57:04 +0000 https://blog.gridinsoft.com/?p=4893 HackerOne representatives said that Romanian cybersecurity specialist Cosmin Iordach (@inhibitor181) became the first researcher in the history of the project, who earned more than $ 2000000 from bug bounty. He is also the seventh researcher to earn over a million dollars in just two years, a milestone he reached, receiving over $300,000 in just 90… Continue reading Researcher Earned More than $ 2000000 on HackerOne

The post Researcher Earned More than $ 2000000 on HackerOne appeared first on Gridinsoft Blog.

]]>
HackerOne representatives said that Romanian cybersecurity specialist Cosmin Iordach (@inhibitor181) became the first researcher in the history of the project, who earned more than $ 2000000 from bug bounty.

He is also the seventh researcher to earn over a million dollars in just two years, a milestone he reached, receiving over $300,000 in just 90 days.

334 days ago, we announced Cosmin as the 7th hacker to reach $1 million dollars in earnings. Today we celebrate his achievement to be the FIRST to reach $2 million! Please join us in congratulating @inhibitor181!.the administration of HackerOne told on Twitter.

Iordach told HackerOne that he lived in Germany for the past six years with his wife and two dogs. His interest in hacking and vulnerabilities rised after the HackAttack workshop in Hamburg in mid-2016. Then the expert was still studying at the university, but at the end of 2017 he was already seriously engaged in hunting for bugs, continuing to work as a full-stack developer.

Soon, the researcher received the highest rank of The Assassin at the Singapore hacking event h1-65, and in 2019 he defended his title in London, during h1-4420.

Kosmin Iordach’s overall discovered 468 vulnerabilities, including those found in Verizon Media, PayPal, Dropbox, Facebook, Spotify, AT&T, TikTok, Twitter, Uber and GitHub, as well as a number of bugs in US Department of Defence systems.told on HackerOne.

Let me remind you that there are currently only nine bug hunters on HackerOne who have earned over $ 1,000,000. The first two millionaires appeared on HackerOne last spring. The first record holder was Santiago Lopez (@try_to_hack) from Argentina. He was self-taught when he signed up for HackerOne in 2015, at the age of sixteen. Over the years, he has found over 1,600 vulnerabilities, including in solutions from Twitter and Verizon Media.

HackerOne’s second millionaire is Briton Mark Lichfield (@mlitchfield). He has already helped to fix over 900 bugs in products from companies such as Dropbox, Yelp, Venmo, Starbucks, Shopify, and Rockstar Games.

According to the head of HackerOne, during the entire existence of the project, researchers have already discovered about 170,000 vulnerabilities, and the platform is now used by more than 700,000 ethical hackers.

Let me remind you that bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it in HackerOne.

The post Researcher Earned More than $ 2000000 on HackerOne appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/researcher-earned-more-than-2000000-on-hackerone/feed/ 0 4893
PlayStation Now bug allowed execution of arbitrary code on Windows https://gridinsoft.com/blogs/playstation-now-bug-allowed-execution-of-arbitrary-code-on-windows/ https://gridinsoft.com/blogs/playstation-now-bug-allowed-execution-of-arbitrary-code-on-windows/#respond Tue, 08 Dec 2020 22:47:39 +0000 https://blog.gridinsoft.com/?p=4830 A critical bug that has been fixed in the PlayStation Now app for Windows could be used by malicious sites to execute arbitrary code. Let me remind you that this service is already used by over 2,000,000 people. The vulnerability was discovered this summer by cybersecurity expert Parsia Hakimian and reported through the recently launched… Continue reading PlayStation Now bug allowed execution of arbitrary code on Windows

The post PlayStation Now bug allowed execution of arbitrary code on Windows appeared first on Gridinsoft Blog.

]]>
A critical bug that has been fixed in the PlayStation Now app for Windows could be used by malicious sites to execute arbitrary code. Let me remind you that this service is already used by over 2,000,000 people.

The vulnerability was discovered this summer by cybersecurity expert Parsia Hakimian and reported through the recently launched official PlayStation bug bounty program on HackerOne. The issue affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later.

The researcher found that due to problems connecting to the application via a web socket, sites opened in any browser could send requests to the application and load malicious URLs, which could then trigger arbitrary code execution on the system.

The PlayStation Now application version 11.0.2 is vulnerable to remote code execution (RCE). Any website loaded in any browser on the same machine can run arbitrary code on the machine through a vulnerable websocket connection.posted Parsia Hakimian on HackerOne.

Essentially, the app set up a local web socket server that did not check the source of incoming requests, which allowed sites to send PlayStation Now requests. To successfully exploit this error, attackers must convince the PS Now user, whose device they want to hack, to open a specially crafted malicious site. For example, by sending a link to such a resource in a phishing email, leaving it on the forum, on the Discord channel, and so on.

In addition, the Electron AGL app launched by PlayStation Now may have been instructed to load specific sites using commands sent to the server’s web socket. AGL could also be used to run local applications. Moreover, the AGL Electron application allowed JavaScript to trigger new processes on loaded web pages, essentially making the code run as well.

Currently, the critical bug has already been fixed, and Hakimian received a reward of $15,000 for his discovery, despite the fact that the vulnerability did not fall under the conditions of the bug bounty: it affected a Windows application, and involved not one of target systems, included in the program (PlayStation 4 and PlayStation 5 systems, operating systems, accessories, or PlayStation Network.).

My $15K PlayStation bug has finally been disclosed. My one and only tip is to read every single @taviso bug. This is essentially two of his public bugs chained together.posted by Parsia Hakimian on Twitter.

Let me remind you that the researcher accidentally found a 0-day bug in Windows 7 and Windows Server 2008.

The post PlayStation Now bug allowed execution of arbitrary code on Windows appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/playstation-now-bug-allowed-execution-of-arbitrary-code-on-windows/feed/ 0 4830
Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/ https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/#respond Tue, 20 Oct 2020 16:48:53 +0000 https://blog.gridinsoft.com/?p=4446 Bleeping Computer reporters drew attention to an interesting case that occurred as part of the bug bounty of the Monero program on HackerOne. Bughunter stole a Monero vulnerability exploit discovered by another person and received a reward. The publication notes that bug hunting is not just a good cause that benefits the community, but also… Continue reading Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it

The post Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reporters drew attention to an interesting case that occurred as part of the bug bounty of the Monero program on HackerOne. Bughunter stole a Monero vulnerability exploit discovered by another person and received a reward.

The publication notes that bug hunting is not just a good cause that benefits the community, but also a multimillion dollar industry. As a result, some may try to abuse platforms such as HackerOne and Bugcrowd, designed to foster ethics, trust and accountability among information security professionals, for their own financial gain.

Last weekend, cybersecurity specialist Guido Vranken discovered that an Everton Melo had used a copy of an exploit he had created to report a vulnerability in the Monero bug bounty program on HackerOne. The vulnerability Vranken found in the libzmq 4.1 series back in 2019 was a critical clipboard overflow bug (CVE-2019-6250). The researcher notified the developers about it in January 2019.

“Lol someone literally copied and pasted my libzmq + analysis exploit in the [HackerOne] bug bounty and took the money”, — Vranken wrote on Twitter.

Although HackerOne engineers have previously detected and closed plagiarized reports, there is always the possibility of accidental employee error. Currently, the Monero developers have already reported that they cannot return the amount already paid to the plagiarist:

“This report was stolen (!!) from the original Guido Vranken vulnerability report without any mention of his merits. We overlooked the fact that the report was redrawn from there, as we focused on reproducing the problem and fixing it. This is incredible meanness. Please don’t do this. We contacted Guido to pay him a fee, and unfortunately we cannot withdraw the fee from Everton Melo.”

Bughunter stole Monero exploit

Interestingly, upon closer examination of the report, the developers determined that the 4.1 series, apparently, is not affected by the CVE-2019-6250 problem, but it is definitely vulnerable to the CVE-2019-13132 issue, and therefore it was decided that Melo still has the right for a reward. For the same reason, the title of the report on HackerOne was changed to CVE-2019-13132 instead of CVE-2019-6250.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bughunter-stole-a-monero-exploit-from-another-cybersecurity-specialist-and-received-a-reward-for-it/feed/ 0 4446