He is also the seventh researcher to earn over a million dollars in just two years, a milestone he reached, receiving over $300,000 in just 90 days.

Iordach told HackerOne that he lived in Germany for the past six years with his wife and two dogs. His interest in hacking and vulnerabilities rised after the HackAttack workshop in Hamburg in mid-2016. Then the expert was still studying at the university, but at the end of 2017 he was already seriously engaged in hunting for bugs, continuing to work as a full-stack developer.

Soon, the researcher received the highest rank of The Assassin at the Singapore hacking event h1-65, and in 2019 he defended his title in London, during h1-4420.

Let me remind you that there are currently only nine bug hunters on HackerOne who have earned over $ 1,000,000. The first two millionaires appeared on HackerOne last spring. The first record holder was Santiago Lopez (@try_to_hack) from Argentina. He was self-taught when he signed up for HackerOne in 2015, at the age of sixteen. Over the years, he has found over 1,600 vulnerabilities, including in solutions from Twitter and Verizon Media.

HackerOne’s second millionaire is Briton Mark Lichfield (@mlitchfield). He has already helped to fix over 900 bugs in products from companies such as Dropbox, Yelp, Venmo, Starbucks, Shopify, and Rockstar Games.

According to the head of HackerOne, during the entire existence of the project, researchers have already discovered about 170,000 vulnerabilities, and the platform is now used by more than 700,000 ethical hackers.

Let me remind you that bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it in HackerOne.

The post Researcher Earned More than $ 2000000 on HackerOne appeared first on Gridinsoft Blog.

The vulnerability was discovered this summer by cybersecurity expert Parsia Hakimian and reported through the recently launched official PlayStation bug bounty program on HackerOne. The issue affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later.

The researcher found that due to problems connecting to the application via a web socket, sites opened in any browser could send requests to the application and load malicious URLs, which could then trigger arbitrary code execution on the system.

Essentially, the app set up a local web socket server that did not check the source of incoming requests, which allowed sites to send PlayStation Now requests. To successfully exploit this error, attackers must convince the PS Now user, whose device they want to hack, to open a specially crafted malicious site. For example, by sending a link to such a resource in a phishing email, leaving it on the forum, on the Discord channel, and so on.

In addition, the Electron AGL app launched by PlayStation Now may have been instructed to load specific sites using commands sent to the server’s web socket. AGL could also be used to run local applications. Moreover, the AGL Electron application allowed JavaScript to trigger new processes on loaded web pages, essentially making the code run as well.

Currently, the critical bug has already been fixed, and Hakimian received a reward of $15,000 for his discovery, despite the fact that the vulnerability did not fall under the conditions of the bug bounty: it affected a Windows application, and involved not one of target systems, included in the program (PlayStation 4 and PlayStation 5 systems, operating systems, accessories, or PlayStation Network.).

Let me remind you that the researcher accidentally found a 0-day bug in Windows 7 and Windows Server 2008.

The post PlayStation Now bug allowed execution of arbitrary code on Windows appeared first on Gridinsoft Blog.

The publication notes that bug hunting is not just a good cause that benefits the community, but also a multimillion dollar industry. As a result, some may try to abuse platforms such as HackerOne and Bugcrowd, designed to foster ethics, trust and accountability among information security professionals, for their own financial gain.

Last weekend, cybersecurity specialist Guido Vranken discovered that an Everton Melo had used a copy of an exploit he had created to report a vulnerability in the Monero bug bounty program on HackerOne. The vulnerability Vranken found in the libzmq 4.1 series back in 2019 was a critical clipboard overflow bug (CVE-2019-6250). The researcher notified the developers about it in January 2019.

“Lol someone literally copied and pasted my libzmq + analysis exploit in the [HackerOne] bug bounty and took the money”, — Vranken wrote on Twitter.

Although HackerOne engineers have previously detected and closed plagiarized reports, there is always the possibility of accidental employee error. Currently, the Monero developers have already reported that they cannot return the amount already paid to the plagiarist:

“This report was stolen (!!) from the original Guido Vranken vulnerability report without any mention of his merits. We overlooked the fact that the report was redrawn from there, as we focused on reproducing the problem and fixing it. This is incredible meanness. Please don’t do this. We contacted Guido to pay him a fee, and unfortunately we cannot withdraw the fee from Everton Melo.”

Interestingly, upon closer examination of the report, the developers determined that the 4.1 series, apparently, is not affected by the CVE-2019-6250 problem, but it is definitely vulnerable to the CVE-2019-13132 issue, and therefore it was decided that Melo still has the right for a reward. For the same reason, the title of the report on HackerOne was changed to CVE-2019-13132 instead of CVE-2019-6250.

Let me remind you that Google recruits a team of experts to find bugs in Android applications.

The post Bughunter stole a Monero exploit from another cybersecurity specialist and received a reward for it appeared first on Gridinsoft Blog.