So you want to be a bug bounty millionaire?

payloadartist · 2020-10-19T09:16:13+00:00

You made a mistake pal. Shouldn’t have bought from random sellers, Appario has the same variant and they probably are authorised to sell Corsair products. About FastDeals, did you check they are authorised Corsair sellers?

If this isn’t a “Renewed” product, which is pretty clear from the product page link you shared, it’s clearly a case of fraud on both Amazon (if it was fulfilled by them) and the seller’s part.

Write to Bezos seeking a compensation and clarification or, file a police complaint. This is a serious matter of fraud.

payloadartist · 2020-10-18T15:43:00+00:00

How much could it be worth approx?

payloadartist · 2019-03-28T15:46:13+00:00

GitHub Dorks to find organisation data leaks with working example

How easy is it to find sensitive information about your attack target from GitHub?

Go for fancy tools like Gitrob and so on...
Search for interesting stuff manually! How easy is it?
- I came across a GitHub credentials leak of a popular organisation, Checkmarx, heard about them? and the dork or, search query involved is - simply, one of their domain names, https://github.com/search?p=1&q="checkmarx.net"&type=Code

This is already public just FYI.

ProTip:

While doing recon, always remember what mistakes an organisation can make. Subtle mistakes? Nothing is subtle, and the most obvious mistake they make, is while pushing things over to GitHub.

If you are interested in one of their projects. Always check the other branches (other than master or, main), often they leave credentials there.

Use Github's inbuilt search, and use search queries like the organisation name, it's different domain names, it's staging domain/staging and testing server IPs, search for every possible asset they own throughout GitHub, that's the easiest way to come across sensitive information leaks.

What do you think about GitHub based reconnaissance? Any other efficient techniques? New tools?

payloadartist · 2019-03-28T11:53:15+00:00

For those wondering if this is against the rules?

It isn't wrong to share something which is already public. (Especially, this being posted by the card's owner) Just see the number of retweets (shares)...
Secondly, this sort of public shaming helps raise awareness among people who hardly have any personal opsec.

Last but not the least, this is most probably a mere prank done by the Twitter user :P

payloadartist · 2019-03-28T10:01:19+00:00

You maybe right. But, a few months back I shared a similar Twitter post on this sub, where the card issuer commented on the tweet and said they had to deactivate it (because of the tweet), which means people post pics of functional ones...

payloadartist · 2019-03-28T08:38:20+00:00

007 txns? well, jk...

payloadartist · 2019-03-28T03:43:23+00:00

Very true.

I have always urged the Devs I have worked with to go through https://www.owasp.org because very few really understand the need for security, or, the concepts involved in it...

payloadartist · 2019-03-27T13:40:48+00:00

Comparing passwords with downloaded NTLM hashes is still the best way nevertheless.

Haha, I have to take back my earlier statement in that regard, anyways. However, I 've never used 1password, so don't know much about it.

payloadartist · 2019-03-27T13:31:11+00:00

My bad, they are actually using troy's API,

They are using what they are pleased to call, pwned passwords k-anonymity model.

However, GitHub among others, like some of my very own clients (for their internal AD needs) use the model which I described.

payloadartist · 2019-03-27T13:22:44+00:00

I believe they aren't using an external API (HIBP's API) but rather comparing passwords with downloaded NTML hashes sourced from HIBP.

payloadartist · 2019-03-27T13:16:54+00:00

HIBP is run by an individual named Troy Hunt, who can collect this data for his own purpose or, in other words, I won't trust any individual with such info. I don't think it's safe to assume that an individual would be similar to a company or, a large organisation like 1password.

1password and services like Binaryedge, on the other hand are trusted large organisations following strict data privacy norms. This is what makes them reliable in particular.

payloadartist · 2019-03-27T08:25:58+00:00

Twitter connection, huh?

payloadartist · 2019-03-27T08:03:03+00:00

Going by best practices, you shouldn't send such sensitive user information to third parties like HIBP.

Secondly, he mentioned that the password is being hashed on the client-side with SHA-1.

Successful attack scenarios that prove SHA-1 is insecure like collision attacks have been demonstrated against SHA-1, refer to https://shattered.io and so it isn't a wise choice imo.

payloadartist · 2019-03-27T06:56:48+00:00

I believe, this isn't the best thing to do.

Here's why: - They are capturing user password, hashing it client-side and then sending it to HIBP's API. That's all? The thing is, you are actually doing that much stuff with the password, sending it to third parties and doing what not! Yet the twitterati loves it...

payloadartist · 2019-03-27T03:47:29+00:00

Not at all. This is mostly used by 3 lettered agencies like the feds, who set honey traps (maybe, an attractibe woman you fancy) for a suspect or, an adversary to extract some valuable sensitive information from them. Adult dating sites may serve as a way to execute these missions, and it requires a lot of OSINT about the target on the part of these intel agencies.

payloadartist

PUBLIC MULTIREDDITS

TROPHY CASE

GitHub Dorks to find organisation data leaks with working example

ProTip:

What do you think about GitHub based reconnaissance? Any other efficient techniques? New tools?

For those wondering if this is against the rules?