Metacurity

Share this post
Polygon Paid Two White Hat Hackers $3.46 Million Bounties For Discovering Critical Flaw
metacurity.substack.com

Polygon Paid Two White Hat Hackers $3.46 Million Bounties For Discovering Critical Flaw

Misconfigured Sega bucket exposed 250K user email list, Missouri governor is still threatening charges against journalist, Huawei faces big revenue drop, Six Netgear routers suffer serious flaws, more

Cynthia Brumfield
Dec 31, 2021
1
Share this post
Polygon Paid Two White Hat Hackers $3.46 Million Bounties For Discovering Critical Flaw
metacurity.substack.com

Ethereum scaling project Polygon announced that it successfully fixed a critical network vulnerability that put its MATIC token at risk after a group of whitehat hackers notified bug bounty platform Immunefi of the flaw. However, a hacker was able to steal $2.04 million in MATIC before Polygon implemented the fix.

Polygon executed the fix on December 5 without impacting the liveness and performance of the network in any significant way. Polygon paid a total of about $3.46 million as bounty to the two white hat hackers. (Yogita Khatri / The Block)

Related: The Crypto Basic, The Mac Observer, Slashdot, CryptoPotato, NDTV Gadgets360.com, Slashdot, Polygon

Twitter avatar for @invisig0thvisi @invisig0th
A $2.2M bounty for a "check that the sender actually has enough funds for the transaction" bug. Move over IOT, there's a target with better lunch money!

Immunefi @immunefi

Polygon bugfix postmortem! Whitehat @leonspacewalker receives a big $2.2m bounty for his critical find. https://t.co/yfNZeN0kZO

December 30th 2021

12 Retweets61 Likes

VPN Overview discovered a misconfigured Amazon Web Services S3 bucket which exposed sensitive information that allowed researchers to arbitrarily upload files to a massive swath of Sega-owned domains and credentials to abuse a 250,000-user email list.

The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta, and Total War, as well as the Sega.com site itself. An improperly stored Mailchimp API key gave VPNO access to the email list. (Bryan Menegus / Engadget)

Related: Gamepur, VPN Overview, Techradar, Slashdot

Missouri Governor Mike Parson said he believed the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.

In October, a Post-Dispatch reporter alerted the state to a data issue contained on a Department of Elementary and Secondary Education website that left Social Security numbers of educators vulnerable to public disclosure. The newspaper didn’t publish its report until after the officials moved to protect the vulnerable information and did not reveal any personal information. The journalist used open-source tools, specifically the ability to view publicly accessible HTML code, to make his discovery. (Jack Suntrup / St. Louis Post-Dispatch)

Related: Boing Boing

Twitter avatar for @pebonillaPeter Bonilla @pebonilla
Gov. Mike Parson, armed with bad, wrong analogy about lock picking and burglary, confident prosecutors will charge @stltoday reporter who alerted state to flaws in education website compromising the information of its teachers
stltoday.com/news/local/gov…
Image
Image

December 30th 2021

71 Retweets237 Likes
Twitter avatar for @harrymccrackenHarry McCracken @harrymccracken
This is easily solved: We just need to make websites without using HTML from now on.
Parson says he believes prosecutor will bring charges in Post-Dispatch caseMissouri Gov. Mike Parson on Dec. 29, 2021, talks about possible charges against the Post-Dispatch from the Cole County prosecuting attorney after the paper in October alerted officials to a data vulnerability on a state website.stltoday.com

December 31st 2021

10 Likes

Apple’s AirTags that provide location-tracking capabilities are an increasing concern among privacy experts because the evidence is mounting that the devices may be abetting a new form of stalking and theft.

The West Seneca Police Department in New York recently warned of the tracking potential of the devices after an AirTag was found on a car bumper. Apple complied with a subpoena for information about the AirTag in the case, which may lead to charges. A local police department in Canada investigated five incidents of thieves placing AirTags on “high-end vehicles so they can later locate and steal them.” (Ryan Mac and Kashmir Hill / New York Times)

Related: Daring Fireball, Slashdot

Twitter avatar for @matthew_d_greenMatthew Green @matthew_d_green
Moms are the real tracking threat. https://t.co/xwBlMa5b2n

Ryan Mac 🙃 @RMac18

@kashhill We spoke to one high school senior who was notified she was being tracked by an unknown AirTag and frantically searched her car, only for her mom to tell her later that she put it on the vehicle to track her whereabouts. https://t.co/4WLsEfJRgw https://t.co/FkoAzzamvA

December 30th 2021

43 Retweets172 Likes

The Have I Been Pwned data breach notification service now lets users check if their emails and passwords are one of 441,000 accounts stolen in an information-stealing campaign using the information-stealing RedLine malware.

The malware will attempt to steal cookies, credentials, credit cards, and autocomplete information stored in browsers. It also steals credentials stored in VPN clients and FTP clients, steals cryptocurrency wallets, and can download additional software or execute commands on the infected system. Security researcher Bob Diachenko found a server exposing over 6 million RedLine logs, including numerous password keeper LastPass credentials, collected in August and September 2021. (Lawrence Abrams / Bleeping Computer)

Related: TechDator, Reddit - cybersecurity, Security News | Tech Times

Twitter avatar for @haveibeenpwnedHave I Been Pwned @haveibeenpwned
New breach: Logs from the RedLine Stealer malware were left publicly exposed and contained usernames, email addresses and plain text passwords. 26% were already in @haveibeenpwned. Read more:

Bob Diachenko @MayhemDayOne

Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020. https://t.co/kv9MNL8hAE

December 30th 2021

87 Retweets163 Likes

Troubled Chinese telecom tech provider Huawei said it expects revenue for this year will come in at 634 billion yuan ($99 billion), a 28.9% drop from a year ago, as the company suffers from U.S. sanctions, the semiconductor shortage, and a global slump in demand for smartphones.

In 2019, the U.S. put Huawei on a denylist that restricted American companies from selling technology to the Chinese company due to fears that Huawei cooperates with Beijing in placing surveillance or other technology into its gear that might jeopardize U.S. national security. (Evelyn Cheng / CNBC)

Related: The Guardian, Gizchina.com

Researchers at Tenable found half a dozen high-risk vulnerabilities in the latest firmware version for the Netgear Nighthawk R6700v3 router. Tenable disclosed the issues to the vendor on September 30, 2021, but the flaws remain unpatched at publishing time.

The flaws could allow an attacker on the network to take complete control of the device. Tenable also found several instances of jQuery libraries relying on version 1.4.2, which is known to contain vulnerabilities. (Bill Toulas / Bleeping Computer)

Related: Tenable

Image by Peter Patel from Pixabay

Share this post
Polygon Paid Two White Hat Hackers $3.46 Million Bounties For Discovering Critical Flaw
metacurity.substack.com
TopNew

No posts

Ready for more?

© 2022 DCT Associates
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing