€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

by @edent | # # # # # | 1 comment | Read ~363 times.
Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed… Continue reading →

Major sites running unauthenticated JavaScript on their payment pages

by @edent | # # # # # # | 9 comments | Read ~27,235 times.
HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their… Continue reading →