Disclosing this vulnerability in Google Smart speakers bagged the author a bounty of $100k 😲
Welcome to the #IWWeekly40 - the Monday newsletter that brings the best in Infosec straight to your inbox.
We wish you a prosperous and productive new year 😊 May you find amazing bugs, earn bounties, and make cyberspace safe for everyone 🤗
To help you out, we have shared 7 articles, 6 Threads, 5 videos, 2 GitHub repos and tools, 1 job alert in today’s newsletter. We’re sure they’ll help you maximize the benefit and take a massive jump ahead in your career.
Excited? Let’s jump in 👇
📝 7 Infosec Articles (5+ 2 beginner-friendly)
#1 @cankat shows how he found an open redirection vulnerability at Apple’s subdomain using the dot character.
#2 @MRD7 shares how a misconfigured Jira instance allowed the access of all the security reports [Fixed / Non-Fixed] bugs submitted to a company.
#3 @Sudhanshu Rajbhar shares a greatly detailed article about his findings related to ESI (Edge Side Include) Injection on a private bug bounty program.
#4 Read how @Bergee was able to find multiple critical bugs in Red Bull including auth misconfiguration, LFI, SQLi, etc.
#5 @Matt explains how he responsibly disclosed a vulnerability in Google Smart speakers that could turn them into wiretaps which gets him a bounty of around $100k.
#1 @John Jackson shares a revamped OSCP guide for beginner hackers to get started in their learning journey.
🧵6 Trending Threads (4 + 2 beginner-friendly)
#3 @sec_r0 shares a list of all the Free training /courses /blogs /forums that may help boost your security skills or can get you started quickly.
#4 @Cristi shares 6 reasons to ditch your third-party password manager and avoid data breaches like LastPass.
📽️ 5 Insightful Videos (3 + 2 beginner-friendly)
#2 Learn how a Local File Inclusion (LFI) can be turned into Remote Code Execution (RCE) using a weird PHP Filter by @0xTib3rius.
#3 @ProgrammerSmart walks us through on how to steal all the funds from a contract using a class of bug called re-entrancy.
⚒️ 2 GitHub repositories & Tools
💰1 Job Alert
#1 Acme Services is looking for someone with experience in Vulnerability Assessment and Penetration Testing (VAPT). Check out the details here.
💸Advertise with us💸
We are looking to partner with amazing infosec, pen testing, and ethical hacking teams, brands, and companies from all over the world.
If you'd like to advertise to our 27k+ community of cybersecurity enthusiasts, click here to partner with us.
That’s all for this week. Hope you enjoyed these incredible finds and learned something new from today’s newsletter.
Before we say bye…
If you found this newsletter interesting, and know other people who would too, we'd really appreciate if you could forward it to them 📨
If you have questions, comments, or feedback, just reply to this email or let us know on Twitter @InfoSecComm.
See you again next week.
Lots of love
This newsletter has been created in collaboration with our amazing ambassadors.