Are Bug Bounties a Joke?

Found some vulnerabilities in two companies, one you've probably heard of. Password is passed in cleartext to the server, which errors out and sends the password back in a fucking stacktrace to the browser.

I'm ultra-pissed that they have my password. I've already emailed them about it. Should I release now?

I don't see much of a bug bounty program for the companies, and even then a couple hundred bucks is an insult for the potential damage and incompetence. It shouldn't be my job to fix their shit-tier basic security issues.

Attached: cleartext2.png (1260x894, 107K)

Other urls found in this thread:

ieeelog.dragusin.ro/init/default/log
twitter.com/NSFWRedditGif

Fuck off, you larping faggot. If you'd be actually able to do so, you wouldn't waste your time on a chinese cartoons forum.

Release now. Do it. I hate this "responsible disclosure" shit that's the tech industry now. Oh, better keep this bug a private matter and work in this proprietary-tier secrecy to fix it. All that bullshit. Can't let the programmers face any consequences for making a vulnerable program, now can we?
Let's be real. The only responsible disclosure is a full disclosure. Just putting it out there, explaining everything and how to exploit it. Absolutely let the blackhats start abusing it. It's the only way people will actually learn from their mistakes. it's the only way people will see consequences and the tech world may finally change for the better.
Do it.

>I'm L33t hacker man
>Hur I found vulnerabilities in their code!
>Using nothing but inspect element on much browser!

Why did you make this thread OP? Need to feel good by lying online?

This teach those fuckers a lesson

>Calling devtools "inspect element"
>Claiming that there is no vulnerability when its shown in the screenshot
Spotted the person with no experience or knowledge.
It doesn't seem wise to release it. I'd be afraid of them going after me for hacking or something. Even if you did it anonymously, they'd be able to put two and two together since you emailed them.

>Password is passed in cleartext to the server

Are you... retarded?

Retard confirmed. Sage this larping faggot and move on.

this
have you ever heard of ssl OP

Who hurt you

nah senpaitachi you're supposed to hash your passwords client side!

ieeelog.dragusin.ro/init/default/log

Attached: cleartext-redacted.png (2133x949, 476K)

That's the nature of the issue. The second the password hits their servers, attack vectors explode and actual passwords (not just hashes, nonced hashes, etc.) can be stolen. Then again, maybe I'm just a n00b larper fag. Oh well ¯\_(ツ)_/¯

There's nothing wrong with sending the password unhashed through SSL. There's nothing wrong with a server error barfing it back. The other parts of the error traceback are a bigger security issue than sending whatever you sent as the password back.

>Password is passed in cleartext to the server

Because secured tunnels like TSL/SSL, IPSec don't exist right? Your just using a website that passes shit on port 80 http? Sounds like both you and the website are idiots.

This industry. And it's not just me. It's you. It's OP. It's everyone who ever uses a buggy piece of software these days (so a majority of the western world).
It's the fault of our practices when it comes to technology. We constantly ask whether we can, how we can advance, etc. We never ask whether we should. We so rarely go through the rigors of ensuring every component, every line, is safe and properly secured.
This is damaging on many levels, and I'll give a perfect example. We knew long ago that microkernels were more secure, and by the 90s, the performance problems with them were already being ironed out. But that wasn't happening fast enough for businesses. People see dollar signs in recklessness. They went with the faster designs, the less tested ones. Windows, MacOS, even Linux to some extent. Each one trying to push out more and more features. No room for self-contemplation. Just keep trying to beat out your competition with some shiny thing. This left microkernels in the dust, as they couldn't keep up with the features that caught peoples' eyes. People didn't want to wait for someone to do it right. They just wanted someone to do it. Security doesn't sell.
So we need to make it sell.

So you're assuming that this isn't logged somewhere?

I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none. Maybe I'm being a little crazy about this, but I don't see why anyone would not do this..

If they can't even make a front-end that doesn't puke out serverside stacktraces, something tells me that it wouldn't be incredibly hard to pwn the server, and take the passwords in-transit.

That's not even a bug, that's just the state of cryptography in the modern internet. You just have to assume that every place you type your password into has your password. Even if they mutate it client-side you can't be sure that it's not a reversible encryption without digging into the code.

Use a password manager.

>I'd definitely prefer for my passwords to be hashed/nonced before touching the server,
It's fucking pointless, if you hashed your password before touching the server, then the hashed password is the password instead in the server point of view (and it will be incredibly stupid that they just store that hashed password without hashing again), you are just adding another useless abstraction.

So, where is the PoC?

this

Not if its nonced/salted. If you have someone's password, you can use it on other accounts and systems. If nonced/salted, it becomes worthless on other sites/logins.

If you don't understand basic cryptography principals then don't express opinions about cryptographic practices.

The service should not know your password. It should only know a salted-and-hashed pass key.

Your password should never be vulnerable, only your access to that service should be vulnerable.

shut the fuck up pajeet that's got nothing to do with "cryptography" stop calling it "cryptography"

Learn what https is idiot.

This is just a big fat multiplier for the damage done if someone ever breaks into the servers. It's the difference between one account being stolen and every account that uses that password being stolen (which could easily cascade from there).

Did you guys even read the thread?

Attached: image0.jpg (351x376, 35K)

>I'd definitely prefer for my passwords to be hashed/nonced before touching the server
op... this is a vulnerability in itself...

>op... this is a vulnerability in itself...
Uhhh, how? What could possibly happen that would not already happen with a pwned server?

There is no proof that it's being saved server side. It is supposed be hashed server side.

Attached: serveimage(38).jpg (645x729, 57K)

You're introducing more areas for attack and you're not actually increasing the security. It's fucking 2019, there's no reason to not be using SSL. Even then, if someone did an MITM attack they could literally just change the javascript sent to the client, making the whole effort pointless. If the server was compromised guess what, they can just change the fucking javascript.

>I'd definitely prefer for my passwords to be hashed/nonced before touching the server, so that even if the server was compromised, the chances of it being cracked and used are slim-to-none.
Lmao. Whoever has unencrypted traffic had already hacked you.

> but I don't see why anyone would not do this..
Tech illetrates would buy a million of thin condoms even if they are sterile already. Best passwords are passwords which basically no company would let you set - long memorale phrases. Shits would require you to add punctuation and whatnot to protect most vulnerable retards instead.

Oh and
If attacker is already MITM they might as well send arbitrary page just to get your precious unhashed password because unhashed password which should unique for each site is definitely more important than any data the website contains.