undefined | Better HN

0 pointscwkoss5y ago0 comments

If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.

Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.

I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.

0 comments

acatton5y ago

> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.

When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"

redorb5y ago

Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.

I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

Now I wished I would've abused it and blogged about it for the resume.

the7979795y ago

I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

1 more reply

tgsovlerkhgsel5y ago

I'd say it's a bug, but not a security bug.

Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.

Thorrez5y ago

You can still blog about it.

joeyrideout5y ago

I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.

1 more reply

hackermailman5y ago

Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"

cwkossOP5y ago

Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."

1 more reply

pera5y ago

or just tell you "what bug? lol that never happened..."

EForEndeavour5y ago

Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.

3 more replies

kerng5y ago

There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.

The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.

Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.

Sebb7675y ago

> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access

It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.

1 more reply

vmception5y ago

Exactly, this was the bug bounty

j / k navigate · click thread line to collapse

0 pointscwkoss5y ago0 comments

If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.

0 comments

acatton5y ago

> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.

When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"

redorb5y ago

Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.

I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

Now I wished I would've abused it and blogged about it for the resume.

the7979795y ago

I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

1 more reply

tgsovlerkhgsel5y ago

I'd say it's a bug, but not a security bug.

Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.

Thorrez5y ago

You can still blog about it.

joeyrideout5y ago

I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.

1 more reply

hackermailman5y ago

cwkossOP5y ago

Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."

1 more reply

pera5y ago

or just tell you "what bug? lol that never happened..."

EForEndeavour5y ago

Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.

3 more replies

kerng5y ago

The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.

Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.

Sebb7675y ago

> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access

1 more reply

vmception5y ago

Exactly, this was the bug bounty

j / k navigate · click thread line to collapse