What's a better bug-bounty reward than money?


A tiny lego Storm Trooper eats a chocolate coin.

Google has recently increased the price it pays out to security researchers who responsibly disclose a vulnerability. That got me thinking. Is money the best thing with which to reward people? There's an interesting (if a little silly) economics paper about why gift giving is inefficient. The crux of the argument, as I understand it, is that gift-givers rarely know what recipients need or want. So they give gifts which aren't optimal. Your aunt gets you a blue cardigan. But you'd rather have …

Continue reading →

Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)


The Google Logo.

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app. See Chrome Bug #1242315 for details. Demo Here's a video of me on one site (Twistory.ml) opening a link to Twitter in a new tab. Twitter's mobile site contains a Web Manifest which should prompt the user to install an app. Rather than displaying this…

Continue reading →

Full Disclosure: XSS in Getty Images


Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users - and users need to be aware that the content they see on Getty Images sites may have been tampered with. This XSS was slightly unusual. When a user submits …

Continue reading →

Responsible Disclosure - John Lewis


John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this: <meta name="description" content="Search our shop for great deals!"> What can the content tag contain? Text!…

Continue reading →

Even Google forgets to renew its domains


Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But it also needs to be a validly formatted domain, and shouldn't be used for anything important, and -…

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk


The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can convince the search engine to spit out HTML, we can inject malicious content into the page. This is usually done by searching for something like <script>alert("h4X0r");</script>…

Continue reading →

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!


Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed up to Intigriti, and instantly received a confirmation email. Can you guess where you go if you click the big "Activate Account" button? I think that's the first time…

Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes


A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic! What's going on? Many years ago the official Twitter API keys were leaked. This means that app authors who can't get their app approved by Twitter are still able to…

Continue reading →

Responsible Disclosure: CloudFlare - more interested in tracking than security


A confirmation email asking me to click on a link,

CloudFlare claim they want to secure the web - but they seem more interested in tracking their customers than giving them decent security. Upon registering with the Internet giant, users are encouraged to confirm their email addresses. So far, so standard. This is the confirmation message CloudFlare sends out: Looks good! Hey! I wonder where that garish orange button goes? WHAT!?! An http URl? Surely some mistake. Every baby-in-a-basket knows that we should use https everywhere. No…

Continue reading →

Udacity Bug Bounty - or, please stop tracking every link in your emails


Clicking on the button shows an insecure web address.

Look, I know your company wants metrics. I know your boss wants to see the exact percentages of people who click on links in your emails. Your sales team are desperate to track conversions. Someone wants to optimise your funnel for reasons which are unclear to you, a lowly engineer. So you make the mistake of adding tracking to every email you send out. Including sensitive ones. I recently signed up to online learning platform Udacity. As part of registration, they want me to confirm my…

Continue reading →

Self-inflicted Denial of Service on GitHub (Disclosed)


I've found an interesting, but low severity, way for a malicious user to selectively deny access to specific GitHub issues and Pull Requests. This doesn't affect the whole site - just targeted pages. It doesn't require elevated permissions, nor any special skills. This is just GitHub punching itself in the face. Here's how it works. An attacker creates thousands of comments in their own repos which contain references to a specific issue or PR in an external repo. When that issue or…

Continue reading →