A hunter has documented how he earned a total of $64,350 from various Bug Bounty Programs after scanning tens of thousands of public GitHub repos for secrets hidden in past commits. “For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed API keys, tokens, and credentials,” wrote Sharon Brizinov in a Medium post. Brizinov, who built a tool especially for the task, duly “discovered numerous deleted files containing API tokens, credentials, and even active session tokens that had not been revoked. Reporting these findings led to significant security improvements for the affected companies,” he added. The writeup, which was well received on r/netsec, was summarised in an X thread by the Critical Thinking podcast, in case you don’t have time to read Brizinov’s blog post. 🕵️
Airborne infections
The next item on our monthly hunter roundup – first published as a LinkedIn newsletter – features vulnerabilities in Apple’s AirPlay feature that, if abused, could enable attackers to spread malicious code from one infected device to another. AirPlay enables iPhone and Macbook users to wirelessly stream music, photos and videos and ‘mirror’ the source-device screen to other Apple devices or third-party speakers and TVs.📺 The Oligo researchers who discovered the bugs dubbed them ‘Airborne’ vulnerabilities as they enabled attacks mounted via wireless networks or peer–to-peer connections. These vulnerabilities could lead to zero-click and one-click RCE, access control list (ACL) and user interaction bypasses, local arbitrary file reads, sensitive information disclosure, man-in-the-middle (MITM) attacks and denial of service (DoS). Despite a characteristically prompt fix from Apple, Wired warned that “given how rarely some smart-home devices are patched, it’s likely that these wirelessly enabled footholds for malware, across many of the hundreds of models of AirPlay-enabled devices, will persist for years to come. 🍏
“AI-generated slop reports are making bug bounty triage harder, wasting maintainer time, and straining trust in vulnerability disclosure programs,” warns Sarah Gooding, head of content marketing at Socket, a security platform aimed at developers. She referenced a real-world bug report for Curl that was superficially convincing but cited non-existent functions and methods and fake patches. A software engineer at Open Collective, which manages its own program, recently complained that “our inbox is flooded with AI garbage”, suggesting the indundation might ultimately force them to migrate to a Bug Bounty platform that can triage reports on their behalf. 🤖
Laurence Tennant of Include’s examination of browser mitigations around cross-origin requests that make Security Cross-Site Websocket Hijacking (CSWSH) harder to exploit is worth a read given it made it into /websecurityresearch, which is open only to truly “novel web security research”. Analysis of these mitigations is “explored together with three case studies of past findings, investigating which of the attacks still work today,” wrote Tennant. 💡
Before we conclude with the latest hunter-focused content from YesWeHack (including a new Dojo feature, new public program, and new recon guide) here’s the final research rundown:
🔬 One-Click RCE in ASUS’s Preinstalled Driver Software – MrBruh
🔬 How a Single Line Of Code Could Brick Your iPhone – Guilherme Rambo on earning a $17,500 bounty
🔬 Drag and pwnd: Exploiting VS Code with ASCII – by Zakhar Fedotkin, PortSwigger
🔬Fuzzing WebSockets for Server-Side Vulnerabilities – arete06
Ruby Ruby Ruby Ruby
Did you know: Ruby, where nearly everything is an object – even integers, nil, true and false – was created by Japanese programming legend Yukihiro ‘Matz’ Matsumoto, who blended his favourite parts of Perl, Smalltalk and Lisp. The song ‘Ruby’ by rock band the Kaiser Chiefs, meanwhile, is not a paean to the coding language or even an ex-girlfriend, but apparently named after the songwriter’s eponymous black labrador.🎸 Anyway, this is an unnecessarily elaborate preamble to the fact that YesWeHack’s Dojo platform now supports Ruby! Naturally our latest monthly challenge – Ruby Treasure – is based on this mature, still relatively common language with a history of interesting vulnerabilities. 💎
In other Dojo challenge news, our latest Talkie Pwnii episode discusses the previous, community-created Dojo Challenge, ‘Hacker Profile’, which involved server-side prototype pollution in Node.js: 🎙️
Port scanning helps you map attack surfaces by identifying open ports and which services are running – a crucial step before getting down to the business of bug-hunting. If you’re unfamiliar with the basics, then check out the fourth instalment of our recon fundamentals series, which explains various passive and active port-scanning techniques and how to execute them with Shodan, Censys, Nmap, Masscan and Naabu.🌐
New hunting opportunity
📢 Another month, another new public program for hunters to target: this time it’s Paddle, a payments platform offering a dozen assets in scope, grey-box testing with sandbox access and rewards up to $3,000 for critical vulnerabilities and $1,500 for high severity flaws 💰
Leaderboard time now and we’d like to salute the achievements of drak3hft7, an Italian hunter who has climbed to fifth place for the second quarter and ascended to an all-time high of 10th. In an interview we conducted with the hunter last year, he attributed his success above all to persistence, as well as curiosity and a passion for hacking.🚀 Credit is also due to Xavoppa, up to bronze medal position for Q2 and now an impressive all-time rank of 59 having only joined in 2024. Another one to watch on the Q2 leaderboard below: YoyoDavelion, a Spain-based hacker who only joined last year, has risen to sixth and recently earned a ‘Black Hole’ achievement for netting the highest possible bounty on a program.👏
🤘 Meet the YesWeHack Team
We’ll conclude, as we always do, with a list of upcoming conferences where you can meet the YesWeHack team, score some YesWeHack swag, and learn about bug hunting on our platform (or in one case learn about exploiting syntax confusions):
📍SINCON – Singapore, 22-23 May, Bug Bounty Kampung (Village)
📍Vietnam Security Summit – Ho Chi Minh, 23 May, booth 23
📍NahamCon– Online, 22-23 May. We’re sponsoring this conference, while our in-house hunter Brumens will deliver a talk on ‘The Minefield Between Syntaxes: Exploiting Syntax Confusions in the Wild’ on 23 May, 1:25pm PST
📍Infosecurity Europe – London, 3-5 June, booth F130
📍Congrès du CoTer Numérique, Clermont-Ferrand, 17-18 June, booth 125
More conferences and live hacking events will be announced in due course! 📅
Done. Happy bug-hunting! 👋
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.