Make sure to checkout episode 23 of podcast to hear Justin and Joel’s direct takes!

News and Opinions

Hackcompute Show Us What "Hack the Planet" Really Means

It was stated by security professional and bug bounty hunter Alex Chapman, "The work being done here by @infosec_au, @samwcyo, @bbuerhaus and @rhyselsmore reminds me of the work of @L0phtHeavyInd back in the day. Real internet breaking hacks." This was regarding an article hackcompute group released early last week.

Two facts stand out about this article:

• The sheer magnitude of this hack.

• New bands of hackers highlighting world-breaking problems.

Hacking global infrastructure by finding vulnerabilities in registries for country code top-level domain (ccTLD) / top-level domains (TLD). It was accomplished by exploiting EPP servers and the CoCCA Registry Software, which many internet registries use—potentially allowing control over these domains, a significant part of the global internet infrastructure.

In days before, this sort of hack would easily land jail time. It shows the delicate balance hackers have to tread, even with good intentions. L0pht Heavy was an influential group that illustrated just how frail the internet's infrastructure was to the U.S. Congress and set the groundwork for future researchers. In his AFK interview, Jason Haddix discusses how stigma has changed over the last 15 years.

Good faith research continues to remind our society how fragile and neglected our infrastructure can become in all the hustle and bustle. It should reinforce the idea that incentivizing this work should be crucial.Hats off to hackcompute for pushing boundaries for a safer internet!

Hats-off to hackcompute for pushing boundaries for a safer internet!

Who Do I Contact About My Hack?

What do you do if a company you found vulnerable doesn't have a security contact, bug bounty program, or VDP? Well, you're going to have to do some digging.

Luckily, Prianjana Bengani and Jon Keegan put together a list called "Behind This Website." It is a head start in finding who might own a website based on open-source information.

Summoning Team

Summoning Team discusses reporting a straightforward command injection case, where a 'create support bundle' function, commonly found in enterprise software, was exploited. This function, often implemented by calling commands straight from the command line, can be a goldmine for hackers.

At first glance, it seems like a simple reverse proxy filtering out a specific route. But the devil is in the details. By exploiting the dot functionality in directories and how Nginx handles it, they manage to bypass the filter and hit the same endpoint on the backend. It's a clever trick that might not be immediately obvious, but it's a testament to their ingenuity.

Shoutout to Sina for the blog and Zero Day Initiative, who participated in the research!

Zoom VISS Scoring System

The new word of the day is "Backronym."

Definition: "An acronym deliberately formed from a phrase whose initial letters spell out a particular word or words, either to create a memorable name or as a fanciful explanation of a word's origin."

Having a personal backronym is great for relaying a particular point. But how will people get it if everyone doesn't already use it?

Zoom’s Vulnerability Impact Scoring System (VISS) feels like a backronym for how you're supposed to codify bounty payments. It is great to create segments that are placed into a uniform system and give context to reliable results. This process creates a digestible document for the company to accept for a well-rounded understanding of the problem.

The issue? It solves a problem by creating another one, over-complication.

CVSS is a scoring system with troubles of its own. However, most hackers are more familiar with this method. Using a new scoring method can create friction and hesitancy to report. The researcher assumes more responsibility (by learning an entirely new spec) and challenges dialogue researchers have had in the past.

As it stands, the bounty hunter is assuming more risk by reporting.

LHE Highlight and Documentation Tip

Salesforce came through with backend documentation. What they sent us allowed us to understand better what we were up against. In a timeline for an LHE, this is clutch. Having that head start allowed us to dive into bugs off the jump.

Combing through a company's documentation can be critical for spotting potential weak spots and inconsistencies. We talked about how, sometimes, you can exploit features that don't behave as the documentation says they should - whether that's by design or just a slip-up. But, we also touched on the darker side of things - stumbling upon less-than-stellar architectural choices within big corporations that could put security on the line.

Dig in, regardless, and try the features yourself. You should investigate whether the application works as specified by documentation. It helps those who might not know what they are looking for get a foothold by spotting anomalies. Look piece-by-piece to see how something operates and if your interactions show different results.

Episode 24 is coming your way, and trust us, you won't want to miss it! Our guests will be going over one of the most nuanced areas of hacking. Stay tuned, stay curious, and keep thinking critically.