Tag: Bug

Facebook launches bug bounty ‘loyalty program’

fb-hackerplus.png

Image: Facebook

Social media behemoth Facebook launched today Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform.

Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports.

Any researcher who submitted or submits bugs to Facebook’s bug bounty program is automatically included and ranked inside the Hacker Plus loyalty program.

Facebook said it plans “regularly evaluate” security researchers’ performance based on the cumulative quantity, score, and signal-to-noise ratio of their bug submissions over the last year.

Based on the scores, bug hunters will be placed inside one of five tiers (leagues): Bronze, Silver, Gold, Platinum, and Diamond.

Each tier comes with its own benefits. The most common benefit is an added bonus for successful bug submissions.

“Starting at 12:00 a.m. UTC on October 9, 2020, bounty

Read More

Windows 10: Microsoft’s new 2004 update fixes bug that stopped WSL 2 working

Microsoft has released an optional preview update for Windows 10 version 2004 that addresses Windows Subsystem for Linux 2 issues that emerged after September’s Patch Tuesday update. 

The preview update KB4577063 for Windows 10 version 2004, aka the May 2020 Update, bumps up this version to build number 19041.546.

This preview update brings many of the same fixes Microsoft released in last week’s 20H2 Beta preview for Insiders on the Release Preview Channels. Microsoft is expected to release 20H2, or the Windows 10 October 2020 Update, either this month or in November.

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

Two key issues addressed in this optional update for Windows 10 2004 are the WSL 2 bugs and a lingering connectivity issue with WWAN LTE modems.

The update addresses an issue in WSL that generates an ‘Element not found’ error when users try to start WSL. 

The other is a

Read More

Instagram bug opened a path for hackers to hijack app, turn smartphones into spies

Facebook has patched a critical vulnerability in Instagram that could lead to remote code execution and the hijack of smartphone cameras, microphones, and more. 

Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as “a critical vulnerability in Instagram’s image processing.”

Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook’s security advisory says the vulnerability is a heap overflow problem.

See also: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities

“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128,” the advisory says. 

In a blog post on Thursday, Check Point cybersecurity researchers said sending a single malicious image was enough to take over Instagram. An attack can be triggered once a crafted image is sent — via email, WhatsApp, SMS, or any other

Read More

Apple iOS 14 bug resets default apps to Safari and Mail on reboot

In iOS 14, Apple finally gives you a decent variety of options for your default browser and email apps. 

However, a software bug resets those apps back to Apple’s Safari and Mail after every reboot. 

The bug was discovered by a number of users who voiced the issue on Twitter, and Apple confirmed it in a statement to CNET. 

“We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update,” the company said. 

It’s

Read More

Joe Biden’s campaign app had a bug that made it too easy to access voter info

While someone could get some of that same information through other means, the Vote Joe app trivialized obtaining it (among other issues, the software also doesn’t require users to verify their email). Moreover, the App Analyst found Vote Joe pulls in more data than it displays through its user interface, including what seems like a guess on TargetSmart’s part whether a person voted for the Democratic or Republican presidential candidate in a particular election.  

The Biden campaign says it fixed the bug on Friday when it rolled out an update for the app. “We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” a spokesperson for the campaign told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers

Read More

Researcher kept a major Bitcoin bug secret for two years to prevent attacks

InvDos

In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.

Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn’t received the patch.

Bitcoin Inventory Out-of-Memory Denial-of-Service Attack

Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.

INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of

Read More

Stingy Slack Paid Researcher $1,750 for Finding ‘Critical’ Bug

A security researcher found a critical bug that would have let attackers hijack a person’s computer when using Slack. His reward? $1,750.

A security researcher found a critical bug that would have let attackers hijack a person’s computer when using Slack. His reward? $1,750.
Photo: Drew Angerer (Getty Images)

At times, we’ve come to you with stories about security researchers being paid thousands—and in some cases hundreds of thousands—of dollars by companies for finding critical bugs in well-known software or hardware. However, this time, the story is different. It’s about a company that was stingy, and that’s not cool.

Illustration for article titled Stingy Slack Paid Researcher $1,750 for Finding ‘Critical’ Bug

According to Mashable and Bleeping Computer, Slack paid security researcher Oskars Vegeris $1,750 for finding and reporting a bug that would have allowed hackers to hijack a person’s computer. To do this, all a hacker needed to do was upload a file and share it with another Slack user or channel on the app’s desktop version.

“With any in-app redirect – logic/open redirect, HTML or Javascript injection it’s

Read More