I'm not sure on the architecture of simple machines forums/and this one specifically but a lot of user account hackings can occur from people using weak passwords. I'm not sure I want to cover the details on how to do this without or with the database but it's possible either way if the passwords used aren't very advanced - especially if a user lists the country they're from or you can guess the country/area. It could also be possible to send a phishing link to someone's email and get them to log in/interact with it to get access to their email and/or their account.
I think I'd agree that the bug bounties might be a bit low - potentially the Javascript one of you can inject a photo that is able to deanonymise someone even just on one particular browser - but I'm not sure the best way to increase them either or whether it's even a good idea to (should you wait with a gulnerability you've found because you think they rates will go up again?)
Topic: Is Security Bounty still Active? (Read 100 times)
What kind of vulnerability security bounty hunter got $19 000?
https://bitcointalk.org/sbounties.php
When I look at the meta board, there are a lot of threads want to recovery hacked account, this means lots of hackers with technical skill hanging out here. What does he get? , nothing, just an account with tagged hacked which can't do anything here.
Hackers can get more than that.
but don't forget
even on meta though
good luck
https://bitcointalk.org/sbounties.php
When I look at the meta board, there are a lot of threads want to recovery hacked account, this means lots of hackers with technical skill hanging out here. What does he get? , nothing, just an account with tagged hacked which can't do anything here.
Hackers can get more than that.
Quote
- $50 000: If you can access any user's PMs arbitrarily, without any interaction from the user, and without any secret data such as user passwords.
- $20 000: If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords. If you already have an email address, matching it to a user is not a bug.
- $10 000: If you can make undetectable edits to arbitrary posts or PMs. Compromising a moderator account doesn't count.
- $2 000: If you can send a user a link, and if they click on it then you will be able to gain access to their account automatically, without any further action from them aside from just visiting one link. Phishing sites don't count; it has to be some sort of CSRF-type attack. You can't assume that you have any secret data about the user such as their session cookie.
- $2 000: If a regular user without any special permissions can persistently inject JavaScript into a page. If you need a more privileged user, the award amount is halved, and there is no award if you need an administrator account.
- $1 000: If you can move or delete a post that you are not supposed to be able to.
but don't forget
Quote
You must not publish it elsewhere or share it with anyone else.
even on meta though
good luck
Jump to: