Are Bug Bounties a Joke?

Grayson Walker
Grayson Walker

Found some vulnerabilities in two companies, one you've probably heard of. Password is passed in cleartext to the server, which errors out and sends the password back in a fucking stacktrace to the browser.

I'm ultra-pissed that they have my password. I've already emailed them about it. Should I release now?

I don't see much of a bug bounty program for the companies, and even then a couple hundred bucks is an insult for the potential damage and incompetence. It shouldn't be my job to fix their shit-tier basic security issues.

Attached: cleartext2.png (107 KB, 1260x894)

Other urls found in this thread:

ieeelog.dragusin.ro/init/default/log

Gabriel Kelly
Gabriel Kelly

Fuck off, you larping faggot. If you'd be actually able to do so, you wouldn't waste your time on a chinese cartoons forum.

Caleb Gutierrez
Caleb Gutierrez

Release now. Do it. I hate this "responsible disclosure" shit that's the tech industry now. Oh, better keep this bug a private matter and work in this proprietary-tier secrecy to fix it. All that bullshit. Can't let the programmers face any consequences for making a vulnerable program, now can we?
Let's be real. The only responsible disclosure is a full disclosure. Just putting it out there, explaining everything and how to exploit it. Absolutely let the blackhats start abusing it. It's the only way people will actually learn from their mistakes. it's the only way people will see consequences and the tech world may finally change for the better.
Do it.

Jayden Carter
Jayden Carter

I'm L33t hacker man
Hur I found vulnerabilities in their code!
Using nothing but inspect element on much browser!

Why did you make this thread OP? Need to feel good by lying online?

Liam Brooks
Liam Brooks

This teach those fuckers a lesson

Zachary Wood
Zachary Wood

Calling devtools "inspect element"
Claiming that there is no vulnerability when its shown in the screenshot
Spotted the person with no experience or knowledge.
It doesn't seem wise to release it. I'd be afraid of them going after me for hacking or something. Even if you did it anonymously, they'd be able to put two and two together since you emailed them.

Xavier Reyes
Xavier Reyes

Password is passed in cleartext to the server

Are you... retarded?

Hunter Evans
Hunter Evans

Retard confirmed. Sage this larping faggot and move on.

Justin Edwards
Justin Edwards

this
have you ever heard of ssl OP

Dominic Cook
Dominic Cook

Who hurt you

Michael Scott
Michael Scott

nah senpaitachi you're supposed to hash your passwords client side!

Jackson Mitchell
Jackson Mitchell

ieeelog.dragusin.ro/init/default/log

Attached: cleartext-redacted.png (476 KB, 2133x949)

Dylan Ramirez
Dylan Ramirez

That's the nature of the issue. The second the password hits their servers, attack vectors explode and actual passwords (not just hashes, nonced hashes, etc.) can be stolen. Then again, maybe I'm just a n00b larper fag. Oh well ¯\_(ツ)_/¯

Jason Jackson
Jason Jackson

There's nothing wrong with sending the password unhashed through SSL. There's nothing wrong with a server error barfing it back. The other parts of the error traceback are a bigger security issue than sending whatever you sent as the password back.

Brody Lewis
Brody Lewis

Password is passed in cleartext to the server

Because secured tunnels like TSL/SSL, IPSec don't exist right? Your just using a website that passes shit on port 80 http? Sounds like both you and the website are idiots.

Asher Foster
Asher Foster

This industry. And it's not just me. It's you. It's OP. It's everyone who ever uses a buggy piece of software these days (so a majority of the western world).
It's the fault of our practices when it comes to technology. We constantly ask whether we can, how we can advance, etc. We never ask whether we should. We so rarely go through the rigors of ensuring every component, every line, is safe and properly secured.
This is damaging on many levels, and I'll give a perfect example. We knew long ago that microkernels were more secure, and by the 90s, the performance problems with them were already being ironed out. But that wasn't happening fast enough for businesses. People see dollar signs in recklessness. They went with the faster designs, the less tested ones. Windows, MacOS, even Linux to some extent. Each one trying to push out more and more features. No room for self-contemplation. Just keep trying to beat out your competition with some shiny thing. This left microkernels in the dust, as they couldn't keep up with the features that caught peoples' eyes. People didn't want to wait for someone to do it right. They just wanted someone to do it. Security doesn't sell.
So we need to make it sell.

Levi Howard
Levi Howard

So you're assuming that this isn't logged somewhere?

I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none. Maybe I'm being a little crazy about this, but I don't see why anyone would not do this..

If they can't even make a front-end that doesn't puke out serverside stacktraces, something tells me that it wouldn't be incredibly hard to pwn the server, and take the passwords in-transit.

Nathaniel Wilson
Nathaniel Wilson

That's not even a bug, that's just the state of cryptography in the modern internet. You just have to assume that every place you type your password into has your password. Even if they mutate it client-side you can't be sure that it's not a reversible encryption without digging into the code.

Use a password manager.

Juan Ramirez
Juan Ramirez

I'd definitely prefer for my passwords to be hashed/nonced before touching the server,
It's fucking pointless, if you hashed your password before touching the server, then the hashed password is the password instead in the server point of view (and it will be incredibly stupid that they just store that hashed password without hashing again), you are just adding another useless abstraction.

Hunter Wood
Hunter Wood

So, where is the PoC?

Alexander Powell
Alexander Powell

this

Parker Johnson
Parker Johnson

Not if its nonced/salted. If you have someone's password, you can use it on other accounts and systems. If nonced/salted, it becomes worthless on other sites/logins.

Noah Collins
Noah Collins

If you don't understand basic cryptography principals then don't express opinions about cryptographic practices.

The service should not know your password. It should only know a salted-and-hashed pass key.

Your password should never be vulnerable, only your access to that service should be vulnerable.

Andrew Baker
Andrew Baker

shut the fuck up pajeet that's got nothing to do with "cryptography" stop calling it "cryptography"

Christian Morgan
Christian Morgan

Learn what https is idiot.

John Edwards
John Edwards

This is just a big fat multiplier for the damage done if someone ever breaks into the servers. It's the difference between one account being stolen and every account that uses that password being stolen (which could easily cascade from there).

Josiah Hall
Josiah Hall

Did you guys even read the thread?

Attached: image0.jpg (35 KB, 351x376)

Thomas Murphy
Thomas Murphy

I'd definitely prefer for my passwords to be hashed/nonced before touching the server
op... this is a vulnerability in itself...

Bentley Wright
Bentley Wright

op... this is a vulnerability in itself...
Uhhh, how? What could possibly happen that would not already happen with a pwned server?

Ian Nelson
Ian Nelson

There is no proof that it's being saved server side. It is supposed be hashed server side.

Attached: serveimage(38).jpg (57 KB, 645x729)

Jackson Baker
Jackson Baker

You're introducing more areas for attack and you're not actually increasing the security. It's fucking 2019, there's no reason to not be using SSL. Even then, if someone did an MITM attack they could literally just change the javascript sent to the client, making the whole effort pointless. If the server was compromised guess what, they can just change the fucking javascript.

Cameron Nelson
Cameron Nelson

I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none.
Lmao. Whoever has unencrypted traffic had already hacked you.

James Perez
James Perez

but I don't see why anyone would not do this..
Tech illetrates would buy a million of thin condoms even if they are sterile already. Best passwords are passwords which basically no company would let you set - long memorale phrases. Shits would require you to add punctuation and whatnot to protect most vulnerable retards instead.

Levi Baker
Levi Baker

Oh and
If attacker is already MITM they might as well send arbitrary page just to get your precious unhashed password because unhashed password which should unique for each site is definitely more important than any data the website contains.

Disable AdBlock to view this page

Disable AdBlock to view this page

Confirm your age

This website may contain content of an adult nature. If you are under the age of 18, if such content offends you or if it is illegal to view such content in your community, please EXIT.

Enter Exit

About Privacy

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our advertising and analytics partners.

Accept Exit