Blog Post

Software Vulnerabilities - "Beg Bounty" Hunters

Recent proliferation of fake bug bounty hunters and "vulnerability racketeers".

Software Vulnerabilities - "Beg Bounty" Hunters - Recent proliferation of fake bug bounty hunters and "vulnerability racketeers".

Intro

I am not sure if anyone else has experienced the same thing, but I am getting really annoyed by the recent deluge of new scammers. As someone who runs a website (with the security.txt file posted publicly), as well as someone who develops software, I always welcome reports of bugs and vulnerabilities in my products. Users who find bugs in what I write are always encouraged to report them privately and responsibly.

I was also always praising bug bounty programs that reward responsible disclosure of vulnerabilities to software developers. It is quite commendable in my mind when someone goes an extra mile to dig into some complex weeds of software code to find and disclose potential pitfalls.

But what seems to be happening recently, is that there's always someone who is willing to abuse something that was good and benign, and make it difficult for the rest of us.

"Beg Bounty" Hunters

What started to happen in my case is that after I posted the security.txt file on my website, I believe that it got picked up by some script kiddies with automated crawlers. After that my inbox started to get inundated with "vulnerability reports", that I can't call anything other than just junk.

A reader of this post also noted that similar junk messages tend to come to a company's email addresses that start with well-known inbox names, such as: privacy@, security@ or webmaster@.

Because of these bad actors I don't blame any large companies that refuse to publish bug bounty programs. Individuals like the one that I will show-case here are the reason why those companies have to waste a lot of resources to deal with their bullshit.

Without further adieu, let me give you an example of one such report that I received recently:

Hi team

I found a vulnerability in your website and want to disclose it to you.

Let me know if you have any active bug bounty program or is there any compensation for reporting vulnerabilities?

Looking forward to hearing from you

Best regards

-signed-

This cat was clearly fishing for a reward, as any decent bug report should not start from hey-I-found-a-bug-now-pay-me line.

But as anyone who posts an announcement for acceptance of bug reports, you can't just ignore these messages. So after I replied, I received the following:

UI Redressing ( ClickJacking ) Issue on <insert_website_here>

Hello,

Severity: Medium

I have found Click Jacking type of Vulnerability in your Website

Now The Question is What is Click Jacking. Click Jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

How to Produce Click Jacking in your Website,
Steps to Produce this Issue:-
1) Create new .Html file. (I also send this file to you)
2) Copy & Paste this code in Html & save it

<html>

<style>
iframe {
width: 800px;
height: 500px;
position: absolute;
top: 0; left: 0;
filter: alpha(opacity=50);
opacity: 0.5;
}

</style>
<iframe src="https://dennisbabkin.com/php/<url>">
</html>

3) Open that html file and you will see your website content opening in another frame.

Impact

Revealing confidential information(credentials) AND/OR taking control of their computer/account while clicking on seemingly innocuous web pages.

Fix: Use a proper X-Frame to your website, So other domains can not use your website content, Mostly Spammers & Attackers can use this technique. (See My Example File too)

Glad to be, If you fix this Click Jacking flaw in your website.

For sure a click-jacking vulnerability is not a good thing, but my website is just a bunch of blog posts, articles and software pages that do not require user logins, and those pages that do, have the X-Frame-Options set up. (While the comment section that requires user interaction for the blog is almost entirely controlled by Disqus.)

In other words, that person who submitted that report did not spend any significant amount of time to try to understand the nature of the product he had submitted a vulnerability report for.

He was just throwing that standard wording in an email against the wall, hoping that it may scare a webmaster into paying for his fake "bug report".

More Fakery

In case this individual sends the same report to other webmasters, I will post another example. I replied to the first report that it does not constitute a vulnerability, after which he began sending me more of his "bug reports".

This individual clearly has a lot of pre-written bug bounty submissions:

Content Spoofing/Text Injection on <insert_website_here>

Hello,
I'm -name-, White Hat Hacker

Severity: High

I have found a Content Spoofing/Text Injection on this domain dennisbabkin.com

POC Link: https://dennisbabkin.com/sfb/?what=glitch&name=It%20has%20been%20changed%20by%20a%20new%20one%20http://www.hackerhere.com%20so%20go%20to%20the%20new%20one%20since%20this%20one

IMPACT:

The issue can be used for an attacker to spoof content and phishing purposes.

Hope you fix it
thanks..

😂 Seriously?

The URL in question is designed to prefill the "Bug Report" page with whatever the affected software is sending in such report. The server-side script is obviously escaping anything that it receives in the GET request before putting it in the form. In other words, the following would not work:

https://dennisbabkin.com/sfb/?what=glitch&name=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E

How would that qualify for the "High Severity" vulnerability from our "White Hat Hacker" friend is a mystery. 😂

At this point, I wonder what success rate does he have of emailing these fake reports to webmasters of smaller websites? I'm sure it is not zero. Otherwise our "White Hat Hacker" friend would not be sending these.

What is also scary is that those are actual vulnerabilities that some websites could be subjected to, and by hijacking that wording, the con artist is making real threats less pronounced.

Conclusion

It is very regrettable that individuals like I showed above not only distract developers from their work but also waste their time hoping to get paid with their "beg bounty" attempts.

Worse yet, I don't know if there are any ways to discourage this behavior? At first I was thinking to post their names and email addresses in this post, but then I had a change of heart. I don't want to discourage anyone with genuine intentions, who spends their honest efforts to look for bugs, to responsibly submit them to developers.

As always, a handful of con artists seem to muddy the waters for the rest of us.

Sad.

Related Articles