New web targets for the discerning hacker
A bypass of Facebook’s SMS-based two-factor authentication (2FA) made it into Meta’s most impressive bug bounty finds of 2022.
However, it seems Facebook’s parent company initially didn’t fully appreciate the vulnerability, offering a $3,000 bounty before eventually revising the reward upwards to $27,200.
“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” security researcher Manoj Gautam told The Daily Swig.
In other bug bounty news this month, a hacker duo documented Google Cloud Platform (GCP) research that resulted in six payouts totalling more than $22,000.
The most lucrative find for Sreeram KL and Sivanesh Ashok led to a double $5,000 reward for a server-side request forgery (SSRF) bug and subsequent patch bypass in machine learning platform Vertex AI.
Outlined across four blog posts, their bug bounty exploits also included an SSH key injection issue in Google Cloud’s Compute Engine and flaws in Theia and Cloud Workstations.
Cross-origin resource sharing (CORS) misconfigurations were the focus of a third bug bounty writeup covered by The Daily Swig this month.
Exploits fashioned for multiple private programs – notably including Tesla – earned Truffle Security researchers a “few thousand dollars” and vindicated their hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS [cross-origin resource sharing] misconfigurations”.
Fresh hacking opportunities on the horizon, meanwhile, include The US Department of Defense (DoD)’s