White-hat cyberbug bounty nets cash - NYPOST

White-hat cyberbug bounty nets cash

By SARA ASHLEY O’BRIEN

Come on, White Hats: Hack into our system, find a bug — and make it an interesting one! This seems to be the resounding message that major online businesses are spreading.
With US spending on cybercrime security estimated to exceed $23 billion this year, according to the research company Gartner, online businesses are onto the fact that cybercrime is a very real threat.`


`Businesses like Facebook, Google, Mozilla, Adobe, Microsoft and, as of June, PayPal, have developed “Bug Bounty” programs to recruit savvy security researchers like Hayak to help fight the good fight against cybercrime.

These Are snippets from a great story I got to be part of advertised in the NYPOST

Read more:
http://www.nypost.com/p/news/business/white_hat_cyberbug_bounty_nets_cash


Great Write 
I appreciate the story very much, Thank you NYPOST

Twitter Vulnerability Potential XSS Worm!!! another hero?

Twitter is one of the leading social networking and information sharing system these days.
I have recently discovered(and reported) a XSS vulnerability that if not reported could lead to something similar to "HyHack is my hero"  ;).

For whoever of you who did not know, Twitter Implemented a feature called "Lists", this feature lets any user  the ability of adding anyone, without any terms or relation to the "follow" mechanism (they don't have to follow the attacker and vice versa)*, to his malicious XSSed list.

The reason of this being so High Risk stored XSS vulnerability, is that the attack potentially triggered on anyone who entered the attacker's profile "Lists" using a mobile. after a victim got infected, the attack triggers again and infect anyone who will view the victim's "Lists" and anybody who will view theirs and so on... (only victims that will use a mobile will get infected! reminds you of something? )

*I did not test if a user can add a protected (locked) people to his lists.  any comment on this will be appreciated.

PoC Picture watching the victim's profile:

The effect of this XSS is ONLY on victims that use twitter on Mobile!

I most say the lists feature was not fully implemented in the browser at the time I was testing, so most of my testing performed on the "Me" tab.

Twitter did a great job resolving this vulnerability very quickly (~Day after my report), and placed my name in the Twitter Security Whitehats page(2012) later on.

I would like to thank Twitter for their work and for giving me the opportunity to report a responsible disclosure and help keeping Twitter Users safe.