👩💻IW Weekly #17: $30,000 Bounty, Instagram Account Takeover, AWS Security Series, Google Authenticator, IDOR, and much more…
Hey 👋
Welcome to the seventeenth edition of Infosec Weekly - the Monday newsletter that brings the best in Infosec straight to your inbox.
So many new things are happening in the cybersecurity world that it’s difficult to keep up!
We’ve done all the hard work for you by selecting the most top-notch Infosec stuff that caught our attention this week. The format is: 5 articles, 4 Threads, 3 videos, 2 Github repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s dive in👇
📝 5 Infosec Articles
#1 @Felix Alexander shares his brief research on how a third party application may affect an application that has a vulnerable security design, especially in Android.
#2 @TheSecopsgroup’s new blog discusses vulnerabilities arising from insecure access control such as Insecure Direct Object References (IDOR) with some interesting obscure examples.
#3 Read How @Dzmitry Lukyanenko found out the React debug.keystore key trusted by Meta(Facebook) which caused an instagram account takeover by malicious apps.
#4 @Julien Ahrens issued a detailed blog on how he found 8 CVEs that eventually led to WordPress's removal of the affected plugin - Transposh and more than $30,000 in bounties.
#5 Don’t miss these tips and tricks for web cache vulnerabilities. @Kevin shares his methodology for how he tests for Web Cache Vulnerabilities.
🧵4 Trending Threads
#1 @Nithin R’s “Web Application basic” notes may help you get started with Web basics. Nithin shares the Part-1 i.e understanding the URL.
#2 As @Devansh Bordia announced to begin a 30-day AWS Security Series from 23rd july, the Day-1: Intro to AWS and Day2: Intro to Lambda are out.
#3 Always wondering how does Google Authenticator(or other types of 2-factor authenticators) work? @Alex Xu shared a detailed thread on it.
#4 A great thread by @ReconOne_ to master the httpx tool in 6 easy steps.
📽️ 3 Insightful Videos
#1 New video is out on @AssetNote’s Channel in the #BugBountyRedacted series discussing second order subdomain takeovers and logic bug DoS.
#2 @CTF School’s new video talks about how to use AI(Github Copilot) to write exploits for capture the flag challenges, explaining how to solve a task from vsCTF 2022.
⚒️2 Github repositories & Tools
#1 A great Github Repository by @Linuxinet that contains Blogs/reports to understand Bugcrowd VRT.
#2 xnLinkFinder’s V1.3 is up now with some fixes and also can now identify the potential parameters.
💰1 Job Alert ⚠️
#1 Bugv has opened some career options for bug hunters. Check and apply here.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
Editorial team,
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Ayush Singh, Vinay Kumar, Bimal K. Sahoo, Siddharth, Mohit Khemchandani, Hardik Singh, and Pramod Kumar Pradhan, Nithin R and Nikhil Memane.
Newsletter formatting by: Nithin R, Bhavya Jain, Vinay Kumar and Siddharth.
If you wish to join our Ambassadors channel and contribute to the newsletter, send us a DM on Twitter with your discord username.