Dmitriy Shagov

@BuildHackSecure @MiniMjStar @GodfatherOrwa @Hacker0x01 @h4x0r_dz ChatGPT says basically the same. There are restrictions against some individuals and some organisations (GPT mentioned banks). If you are not one of the sanctioned individuals and are not trying to get paid via the sanctioned bank — then legally you are ok.

@dmi3sh @MiniMjStar @GodfatherOrwa @Hacker0x01 @h4x0r_dz chatGPT seems to chuck in a couple of possible problems. I'm no expert in this field what so ever and happy to be taught otherwise.

@MiniMjStar @BuildHackSecure @GodfatherOrwa @Hacker0x01 @h4x0r_dz There is a list of restrictions regarding a number individuals and organisations. I doubt there were Russian h1 users who had their names listed in the OFAC sanctions.

@dmi3sh @BuildHackSecure @GodfatherOrwa @Hacker0x01 @h4x0r_dz Russia wasnt sanctioned by US gov?

@BuildHackSecure @GodfatherOrwa @Hacker0x01 @h4x0r_dz That's BS. There are no sanctions against doing this type of business. There was no legal pretext. "Sanctions" is not some vague thing that gives one an excuse to do all kinds of bs and steal researchers money. What they did was not motivated by any OFAC decree.

@GodfatherOrwa @Hacker0x01 @h4x0r_dz Can’t comment about anything else but remember H1 is an American company, there’s sanctions against Russia which will stop them trading so that’s out of their control.

@MrTuxracer @synack Hey! What happened? Can i find more details somewhere?

Threatening hackers with legal actions to prevent the public disclosure of a CVE-grade bug is always a brilliant idea... /cc @synack #security

@MitchellAmador Big respect for diving into history and Cuban missile crisis analogy. It is very pleasing to see someone willing to speak calmly about such topic in the world full of hysteria.

Something underappreciated on the political scene: missile technology has advanced such that ballistic goes farther and faster, with more compact launch platforms, and nuclear arms have become smaller as well. If Russian missile ships are in Cuba again, what do you think that means? The Cuban missile crisis erupted due to the same factors present today, except now there appears little willingness by the disputes to off-ramp from what’s to come. Not going to lie that’s not great for all us good and simple people.

In November, I submitted a critical bug to Cronos (@cronosapp) which they downplayed and have since been kicked off Immunefi. Here's some info about the bug and an example of how projects can simply not pay a fair amount. Report: gist.github.com/fatherGoose1/6… tl;dr: - It's a simple staking contract where you stake your TONIC and receive xTonic at the current exchange rate. - The vulnerability lies in a function called performConversionForERC20() which allows anyone to convert other tokens held by the contract into TONIC. - This function is vulnerable to reentrancy because the caller sets an arbitrary swap path and can inject a malicious token in the middle to gain control of execution. - The contract determines the estimated amount of TONIC that should be received by the swap, and any extra goes to the caller as a reward. - But since there is reentrancy, the caller can also STAKE their TONIC prior to the above function completion. - The caller's stake is honored AND they are transferred back their TONIC, essentially receiving free staked tokens. Caveat: There is a 10 day unstaking delay. So the exploiter would not be able to actually convert the staked tokens back into TONIC until the cooldown period had passed. What Cronos said: Thank you for reporting this issue. The team has verified that the exploit described can indeed work. From our side, we have safeguards in place to mitigate these risks; such as a 10 days delay period for the xTonic minted. As such, there is a low possibility of the exploit realising; as the issue will be rectified before the exploiter can launder the gotten funds. However, we do appreciate your effort in identifying this issue and plan to update the contract to eliminate the risk entirely. In addition, we are happy to reward you with USD1,600 as a token of appreciation. Actions: Cronos fixed the vulnerability immediately, before even responding to the report. My thoughts: Obvious lowball. Cronos's max bounty was $250,000 and they offered $1,600. I understand the technicality with this attack, and would have agreed to a payout less than the max, but the payout would have to accurately represent the value of this report. Mediation: Immunefi mediated twice and confirmed that this report deserved the max bounty. Immunefi told Cronos that a simple unstaking delay is not an adequate means of protection. Cronos claimed: "We have implemented a robust monitoring framework, consisting of internal systems, protocols, and strategic third-party partnerships, which promptly respond to any anomalies within our smart contracts. This is the standard of any big organization, and we refrain from disclosing further specifics to maintain the integrity of our security protocols." When Immunefi asked them to provide any information regarding their automated detection and mitigation processes, Cronos would not comply. Result: Cronos was kicked off Immunefi. Final thoughts from Django: 'Tis the life of a bug hunter.

@0xTib3rius OpenCart related joke? :)

Is there anything insecure about this code?

@_s1m3on_ @InsiderPhD Lol. I attached links to RFCs and MDN docs :)

this is what happens when you try and create content but you don't actually understand the topic you're writing about

•Attack Complexity: High •User Interaction: Required What?!

@DeanEigenmann love the word-play here :)

@0xTib3rius Thanks! You are right. I just checked the rfc and it says that empty signature is required for "alg": "none".

@dmi3sh The spec requires it, which means any implementation that matches the spec will reject it. In my experience that is most implementations. In any case, it should be mentioned. Removing the signature would still work with your code. Not removing it would lead to false negatives.

Wish more people would stop sharing this guy's bug bounty tips, which more often than not contain simple errors. This one misses the important step of removing the signature. 🙄

@pmnh_ Imo, the best preparation for real-world bug hunting is real-world bug hunting. Read write-ups, look for bugs, try to repeat ideas, research, reiterate :)

@pmnh_ I have a controversial opinion about CTFs. Imo, CTF is bug hunting without bounties. So why do CTFs when there are rewardable bugs everywhere? Why focus on flags when there are identical real bugs?

BB community: what do you think best prepares someone for real-world bug hunting? Personally I am a huge fan of CTFs as I think they often require a lot of creative thinking and obscure knowledge which does help in real life.

@nnwakelam Depends. I’d take into consideration timeframe and what is happening on the backend. For example, 1M requests bruteforcing static js files don’t look bad. But 1M requests to some dynamic stuff is too much imo.

Greetings, everyone! Happy to share that Degoverned.com is transitioning from an invite-only platform to a public alpha.

@BYCIOR @LiveOverflow For subdomain takeover - no cookies/CORS/phishing value (sub to some non-valuable domain). Logout CSRF. XSS on cdn or some meaningless (no cookies, no CORS etc) subdomain. You are right about future value. Issue with 0 impact today can become very serious if code/infra changes

@dmi3sh @LiveOverflow How subdomain takeover or any other bug mentioned would have 0 direct impact? I do not get the logic behind this. In that case not following the best security practices would be considered not an vulnerability? Just treated like a note in the final security report?

Ready for my next security hot-take? "Is subdomain takeover always a vulnerability?" 🙈