Bug Bounty Radar // The latest bug bounty programs for December 2020

Jessica Haworth 31 December 2020 at 00:00 UTC Updated: 31 December 2020 at 17:43 UTC New web targets for the discerning hackerDecember proved to be a quiet one for bug bounty program launches.But the added downtime during the festive period was clearly put to good use considering some of the impressive bug hunting this month.A research team nabbed a $4,000 reward for a server-side request forgery bug (SSRF) in Snapchat’s ad platform.The group – Ben Sadeghipour, Sera Brocious, and Brett Buerhaus – were able to show that an SSRF flaw in the messaging app’s Ads Manager platform created a means to exfiltrate data from Snapchat’s internal endpoints.More specifically, they were able to develop a custom webpage configured to utilize DNS rebinding to access sensitive web endpoints including Google’s metadata service.Days later, another security researcher netted $3,000 for discovering a cross-site request forgery flaw in job search website Glassdoor.By exploiting the vulnerability, attackers could take control of jobseeker profiles – enabling them to edit their profile, add or delete CVs, apply for jobs, or add reviews – and employer accounts, in which they could post or delete jobs.Taking the exploit one step further, an attacker had the potential to gain administrative…
Read More