👩‍💻IW Weekly #110: GitHub Actions Cache Poisoning, CVE-2024-0200, Relative Path File Injection, Hacking Apple, Hacking Microsoft's AI bot and many more…

Welcome to the #IWWeekly110 - the Monday newsletter that brings the best in Infosec straight to your inbox.

To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢

Read, upskill yourself and spread love to the community 💝

Excited? Let’s jump in 👇

📝 5 Infosec Articles

1. @adnanthekhan has written a fantastic blog post on GitHub Actions cache poisoning. Do check it out.
2. The team behind @pdiscoveryio had found a Remote Code Execution (escalated from SQLi) at Apple and have shared their insights about the find.
3. @PikuHaku has shared their experience on hacking at various bug bounty platforms for the last 4 months.
4. @starlabs_sg talks about how they discovered CVE-2024-0200, one of the most impactful bugs in GitHub’s bug bounty history.
5. Ian Hickey has come up with a new class of vulnerability, called as they Relative Path File Injection (RPFI). Interesting stuff!

🧵4 Trending Tweets

1. @Yanir_ exposes critical flaws in Microsoft's Azure Health Bot service, showcasing the importance of robust cybersecurity measures in healthcare technology.
2. Explore strategies for overcoming bug hunting challenges in @shreyas_chavhan's comprehensive FAQ, offering insights and solutions for those struggling to find vulnerabilities.
3. Discover how @Sin4Yeganeh discovered and exploited multiple XSS within a single page, ultimately earning a $20,500 bug bounty.
4. Looking to start your bug bounty journey? Dive into @tabaahi_’s thread for essential tips and strategies to kickstart your bug hunting adventure.

📽️ 3 Insightful Videos

1. Learn about @GodfatherOrwa insightful discussion on the effectiveness of Recon in his presentation at BSides Ahmedabad.
2. @ctbbpodcast covers @Nahamsec's BSidesSF takeaways, Meta's $300K bug bounties, CSP bypasses, recon with AI, and NahamCon 2024 and an epic $50K Yahoo bonus pool including a DEFCON scholarship.
3. Learn how @Nahamsec explains about monitoring certificates and discovering assets quickly in bug bounty hunting.

💼 2 Job Alerts

1. Amazon seeks a Product Security Engineer for India Payments Security, safeguarding transactions and systems.
2. EY is hiring a Security Engineer to fortify digital defences and ensure robust cybersecurity measures.

🎁 1 Special Item

1. Challenge time by @joaxcar: Hunt for the flag hidden within the URL fragment and trigger an alert – no spoilers in the thread.

That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪

This newsletter would not have been made possible without our amazing ambassadors.

Resource contribution by: Nikhil A Memane, Hardik Singh, Manikesh Singh, Bimal Kumar Sahoo, Nithin R

Newsletter formatting by: Nithin R, Rachit Arora, Ansh Patel, Vivek Reddy, Siddhesh Prakash Patil

Lots of love
Editorial team,
Infosec Writeups