👩💻IW Weekly #110: GitHub Actions Cache Poisoning, CVE-2024-0200, Relative Path File Injection, Hacking Apple, Hacking Microsoft's AI bot and many more…
Welcome to the #IWWeekly110 - the Monday newsletter that brings the best in Infosec straight to your inbox.
To help you out, we have 5 Articles, 4 Threads, 3 Videos, 2 Job Alerts and a Special Item 🫢
Read, upskill yourself and spread love to the community 💝
Excited? Let’s jump in 👇
📝 5 Infosec Articles
- @adnanthekhan has written a fantastic blog post on GitHub Actions cache poisoning. Do check it out.
- The team behind @pdiscoveryio had found a Remote Code Execution (escalated from SQLi) at Apple and have shared their insights about the find.
- @PikuHaku has shared their experience on hacking at various bug bounty platforms for the last 4 months.
- @starlabs_sg talks about how they discovered CVE-2024-0200, one of the most impactful bugs in GitHub’s bug bounty history.
- Ian Hickey has come up with a new class of vulnerability, called as they Relative Path File Injection (RPFI). Interesting stuff!
🧵4 Trending Tweets
- @Yanir_ exposes critical flaws in Microsoft's Azure Health Bot service, showcasing the importance of robust cybersecurity measures in healthcare technology.
- Explore strategies for overcoming bug hunting challenges in @shreyas_chavhan's comprehensive FAQ, offering insights and solutions for those struggling to find vulnerabilities.
- Discover how @Sin4Yeganeh discovered and exploited multiple XSS within a single page, ultimately earning a $20,500 bug bounty.
- Looking to start your bug bounty journey? Dive into @tabaahi_’s thread for essential tips and strategies to kickstart your bug hunting adventure.
📽️ 3 Insightful Videos
- Learn about @GodfatherOrwa insightful discussion on the effectiveness of Recon in his presentation at BSides Ahmedabad.
- @ctbbpodcast covers @Nahamsec's BSidesSF takeaways, Meta's $300K bug bounties, CSP bypasses, recon with AI, and NahamCon 2024 and an epic $50K Yahoo bonus pool including a DEFCON scholarship.
- Learn how @Nahamsec explains about monitoring certificates and discovering assets quickly in bug bounty hunting.
💼 2 Job Alerts
- Amazon seeks a Product Security Engineer for India Payments Security, safeguarding transactions and systems.
- EY is hiring a Security Engineer to fortify digital defences and ensure robust cybersecurity measures.
🎁 1 Special Item
- Challenge time by @joaxcar: Hunt for the flag hidden within the URL fragment and trigger an alert – no spoilers in the thread.
![](https://weekly.infosecwriteups.com/content/images/2024/05/digital-marketing--modern-minimal-facebook-ad-1-1.png)
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter. Meet you again next week hacker, until then keep pushing 💪
This newsletter would not have been made possible without our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Hardik Singh, Manikesh Singh, Bimal Kumar Sahoo, Nithin R
Newsletter formatting by: Nithin R, Rachit Arora, Ansh Patel, Vivek Reddy, Siddhesh Prakash Patil
Lots of love
Editorial team,
Infosec Writeups
📧
If you have questions, comments, or feedback reach out to us on Twitter @InfoSecComm or email [email protected]