Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Watch out for these fucking bug bounty idiots.
Some time back I got an email from one shortly after making a website live. Didn't find anything major and just ran a simple tool that can suggest security improvements simply loading the landing page for the site.
Might be useful for some people but not so much for me.
It's the same kind of security tool you can search for, run it and it mostly just checks things like HTTP headers. A harmless surface test. Was nice, polite and didn't demand anything but linked to their profile where you can give them some rep on a system that gamifies security bug hunting.
It's rendering services without being asked like when someone washes your windscreen while stopped at traffic but no demands and no real harm done. Spammed.
I had another one recently though that was a total disgrace.
"I'm a web security Analyst. My Job is to do penetration testing in websites to make them secure."
"While testing your site I found some critical vulnerabilities (bugs) in your site which need to be mitigated."
"If you have a bug bounty program, kindly let me know where I should report those issues."
"Waiting for response."
It immediately stands out that this person is asking for pay before disclosing vulnerabilities but this ends up being stupid on so many other levels.
The second thing that stands out is that he says he's doing a penetration test. This is illegal in most major countries. Even attempting to penetrate a system without consent is illegal.
In many cases if it's trivial or safe no harm no foul but in this case I take a look at what he's sending and he's really trying to hack the site. Sending all kinds of junk data and sending things to try to inject that if they did get through could cause damage or provide sensitive data such as trying SQL injects to get user data.
It doesn't matter the intent it's breaking criminal law and when there's the potential for damages that's serious.
It cannot be understated how unprofessional this is. Irrespective of intent, being a self proclaimed "whitehat" or "ethical hacker" if they test this on a site and some of the commands they sent my way had worked then that would have been a data breach.
These weren't commands to see if something was possible, they were commands to extract data. If some random person from Pakistan extracts sensitive data then that's a breach that has to be reported and disclosed to users with the potential for fines and other consequences.
The sad thing is looking at the logs he's doing it all manually. Copying and pasting extremely specific snippets into all the input boxes of hacked with nothing to do with the stack in use. He can't get that many hits that way.4 -
#Happy_Rant
Seeing BYJU's and WhiteHat Jr losing millions in valuation makes me happy, as it was something I had predicted (Im not flexing btw).
The whole business model is dumb, teaching CHILDREN coding and teaching them how to make `apps` via online learning.
Students study Comp Sci for literal years before they even begin coding something useful, and even then there are so many professional developers walking around who barely understand the code that they write.
It's just natural selection at this point.6 -
So someone posted their btc wallet details (system automated message through a custom tool) to a paste in alternative.
Was the login for an ssh. Wont confirm or deny ssh-ing into it, but another guy who saw the same thing messaged me, sent a screenshot. Account had 127k usd worth of btc in it.
Called the radio station it belonged to and gave them a heads up. Probably should reported it as well but people already seen it so it'll get taken down soon enough.
Here I am broke, busting my ass and reality throws this in my lap. But I ain't never been no god damn thief. Hope the radio station it belongs to doesnt get robbed by someone less honest though.
Honesty is probably half the reason I've spent half my life broke trying to find or make opportunities.
And frankly I've heard real horror stories of good faith reports (whitehat style pentesting, etc) and the people that report it get fucked hard by authorities. What can you do though.
Enough navel gazing though.
What the fuck is wrong with the people who build these sort of account reset tools anyway?12 -
Today I attended the first half of the WhiteHat challenge at CERN :) one more to go to be a certified pentester! I expected lots of learning, and my expectations were not let down, game on!11
-
A few minutes ago i called a local snack bar because i've found a IoT IP Webcam which has access for everyone. I told the boss the situation and now
I got a free fries. #whiteHat1 -
Disclaimer - Day in the life of a whitehat student.
Whitehat Whitehat Whitehat
What is this????
When I attended my first white hat jr online free trial class, I got to know that the teachers does not know the difference between java and javascript. Infact they were saying blockly as javascript. I was knowing the difference between the same. There were 3 types of courses -
***Note : - This information is taken from the whitehat official website***
1.) Introduction to Coding :-
Sequence, Fundamentals Coding Blocks, Loops
(Teach us to drag and drop blocks of code.org(blockly))
2.) App Developer Certificate:-
Events / UI,Conditionals, Complex Loop, Logic Structures, Turtle Coding
(Advanced drag and drop(blockly))
3.) Advance Coding with Space Tech -
Extended UI/UX, Rich GUI app, Space Tech simulation in Space Lab / Game Lab, Professional Game Design.
(GUI - with tkinter(python), Game Design - Blockly(code.org))
These things are rubbish ......making GUI's is simplest with tkinter and the students who make games (with code.org) submit their codes to the whitehat community (because the teacher says "they will compile it to an android app, then you can publish it to playstore" --- this is for 1% students who are able to design their own games).
The thing whitehat do with code given by 1% best students:-
Export to HTML from code.org
Download HTML to APK Convertor
Setup SDK
Successfully converted to APK!
Publish it to Whitehat Jr console account
Credits of the students
Income of the exporters
Rest all students will only think to be the CEO of google one day.
My Opinion - StackOverflow, Unity for Game Development, Android Studio, Dart, Flutter and Kivy (using google colab for compiling the python code to an apk) for app development and Flask, HTML, CSS for web development.7 -
Guys so there's thia company called Whitehat jr, who's doing a lot of shady stuff. They pretend to teach kids coding by making them dabble with scratch/block type editor and charge them upto 100000 rupees for the course. Their teachers also dont know coding!!! I feel very bad for the kids who are forced by their parents into all this crap without doing prior research..11
Top Tags
Weekly Rant
View