Detectify Crowdsource is our crowdsourced security initiative that allows us to implement white-hat hacker knowledge into our service and work with 100+ of the world’s best ethical hackers. Read our community manager Kristian Bremberg’s recap to find out what’s been going on in the Crowdsource community the past month.
August marks the best month so far
In August, submissions from Detectify Crowdsource generated more than 1500 unique hits in total, which is a monthly all-time high! Security never sleeps, so a big thank you to all our Crowdsource hackers for submitting new vulnerabilities that helped secure our users.
Top finding: URL path traversal due to url-encoded slashes
Nearly half of the hits were generated by one single module: URL path traversal due to url-encoded slashes. The submission itself is not critical, but can easily be used together with other vulnerabilities, which could lead to severe consequences. The vulnerability relies within certain load balancers configuration, which makes it possible to append paths via path traversal so that data (such as tokens) in the URL can be leaked to an attacker’s website.
Severe Flash vulnerabilities
August was also the month of severe Flash vulnerabilities. A great deal of them were submitted to the platform, such as XSS vulnerabilities in bookContent.swf, ZeroClipboard.swf and Jplayer. This proves that Flash is a dying technology with increasing amount of vulnerabilities, and we hope that this trend keeps rising; more submissions for technologies that are disappearing from the Internet, such as Flash, Java and Silverlight.
This month’s CS Hacker: Evgeny Morozov
We would also like to thank Evgeny Morozov, a highly skilled hacker in Crowdsource, who found a vulnerability which made it possible to validate a domain in Detectify by using a DNS spoofing vulnerability.
For this, Evgeny earned a place in our Hall of Fame.
Big plans for the future
The team behind Detectify Crowdsource has planned the roadmap for the upcoming years. We aim to make Crowdsource the ultimate bug bounty experience, and have a lot of plans on how the platform should develop in the future. We believe in the idea to include real, top skilled hackers in building a security tool, which means its authentic white-hat knowledge that will make the Internet a more secure place.
We’re looking for more researchers
If you’re ready for a new challenge in your bug bounty life, we recommend you to try out Detectify Crowdsource. We are inviting the best hackers from all over the world to join our platform – and all competences are welcomed. With your unique way of hacking, you can both make the Internet a secure place while earning a bounty along the way! If you think you have what it takes, please write a short introduction to crowdsource@detectify.com, and we will get back to you if your skillset is relevant for our platform.
Read more: How to become a Crowdsource hacker
That’s all for now!