👩💻IW Weekly #39: $10,000 Bounty, Zero-click Account Takeover, Stored XSS, Open Redirection Vulnerability, SQL Injection, RCE, Reconnaissance Techniques, and much more…
$10,000 USD award for reporting faulty crop and trim feature in Facebook reels 😍
Welcome to the #IWWeekly39 - the Monday newsletter that brings the best in Infosec straight to your inbox.
IWCON2022 finally came to a glorious end ❤️ Thank you for joining us. I hope you had a lot of fun and learned something new 😊 Please share your feedback here to help us make the next version better for you :)
Coming back to today's NL, here are our top picks for this week: 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert to help you maximize the benefit from this newsletter and take a massive jump ahead in your career.
Excited? Let’s jump in 👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 Bassem M. Bazzoun received a $10,000 USD award for reporting faulty crop and trim feature in Facebook reels.
#2 Eugene Lim reviewed Zoom's code and discovered an interesting attack vector for stored XSS.
#3 Read @Yaala’s discovery of zero-click account takeover and 2FA bypass in the Facebook mobile app.
#4 Security Researcher Alessandro Groppo wrote about a very interesting bug (CVE-2022-2602 without a public exploit) that impacts the io_uring subsystem with a Use-After-Free vulnerability.
#5 Read how @canmustdie found an open redirection vulnerability on one of Apple's subdomains.
#1 If you want to earn a nice bounty by hacking graphql APIs, read this amazing blog by Anugrah’s on graphql pentesting.
#2 Dheeraj has written an in-detail post about beginner social engineering guides.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#1 Ismail posted a great thread explaining insecure CORS configuration vulnerabilities.
2. Abhishek Meena compiled a list of bug bounty automation oneliner commands.
3. Tomo shared links to notion docs containing a collection of smart contract vulnerability reports.
4. Maik Ro shared a list of mental health tips for hacking in daily life.
#1 Read this amazing thread by Abhishek Meena about HTTP Basic Authentication Header.
#2 Look at Eno Leriand's thread about SQL Injection Vulnerability in Simmeth System that lead to Remote Code Execution (CVE-2022-44015).
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#1 Reading RFCs might be boring resulting in lesser bug hunters looking into it, but @securinti shows you the power of reading the RFCs, which in one case even bagged him a $3100 bounty.
#2 @_JohnHammond walks you through the MMORPG challenge from NahamConEU CTF, where you learn about an implementation flaw that would lead to a vulnerability.
#3 Learn CodeQL, a code analysis engine developed by GitHub to automate security checks, with @LiveOverflow to investigate GraphQL Resolvers.
#1 @AseemShrey interviews @ArmanSameer95 aka Tess where he goes into detail and reveals his reconnaissance techniques.
#2 Yuvraj, the number 1 ranked hacker on Priceline’s bug bounty program, does a deep dive into SSRFs in an interview with @AseemShrey.
⚒️ 2 GitHub repositories & Tools
#1 Coinspect Security has created a collection of Foundry tests that includes attacks, bug bounty claims, and potential vulnerabilities on EVM chains.
#2 Immunefi's collaborative repository aims to provide all of the material you need to begin or expand your understanding of online security.
💰1 Job Alert
#1 Payatu is hiring people for various security roles with experience ranging from 1-5 years. Check out the details here.
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.
If you'd like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
This newsletter has been created in collaboration with our amazing ambassadors.
Resource contribution by: Nikhil A Memane, Bhavesh Harmalkar, Mohit Khemchandani, Vinay Kumar, Manikesh Singh, Ayush Singh, Hardik Singh, and Tuhin Bose.
Newsletter formatting by: Hardik Singh, Vinay Kumar, Siddharth and Ayush Singh.