Security researcher earns $15000 biggest bug bounty for Russian internet company giant Mail.Ru

-



Security researcher Ramazan (r0hack) discovered a Bind (time-based) SQL injection in https://city-mobil.ru website due to the unsafe usage of the GET parameter for which he was awarded $15000

So far, this is the largest awarded vulnerability disclosed in Mail.ru and the second biggest bounty awarded on the bug bounty platform Hackerone after just one bug bounty award of $20000

Time-based SQL Injection is an SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE which will allow the attacker to figure out if the payload used true or false

Full details of the vulnerability have not been yet polished by the researcher and more information can be found at https://hackerone.com/reports/868436

Mail.Ru is a major Russian internet company whose sites reach approximately 86% of Russian Internet users on a monthly basis and is in the top 5 of largest Internet companies. Mail.Ru controls and operates the most popular Russian social networking sites.

Mail.Ru Group also offers a variety of online communication products and entertainment services for Russian speakers all over the world

Ramazan can be contacted on twitter as r0hack

Comments

Post a Comment

Popular posts from this blog

Technical Interview Questions Network/Security Jobs

-
Image
  What is a register? https://whatis.techtarget.com/definition/register What command would you use to view the last lines in a file? https://en.wikipedia.org/wiki/Tail_(Unix) In computer networking, what is MTU? https://en.wikipedia.org/wiki/Maximum_transmission_unit What is a Botnet? https://en.wikipedia.org/wiki/Botnet What is MetaSploit? https://en.wikipedia.org/wiki/Metasploit_Project What is Wireshark? https://en.wikipedia.org/wiki/Wireshark What is Base64? https://en.wikipedia.org/wiki/Base64 What is hashing-vs-encryption-vs-encoding? https://cheapsslsecurity.com/blog/explained-hashing-vs-encryption-vs-encoding/ https://www.packetlabs.net/encryption-encoding-and-hashing/geeksforgeeks.org/encryption-encoding-hashing Put the following layers in correct order in the OSI model: •          Application layer •          Data link layer •          Network layer •          Physical layer •          Presentation layer •          Session layer •          Transport layer   https://en.wikiped
Read more

Over $105 Million in cash has been delivered by postmen to bank account holders across India at their doorstep

-
Image
Aadhaar is the world’s largest  biometric ID system  in India. An Aadhaar number is a 12-digit random number issued by the Government Authority to the residents of India after satisfying the verification process. Any individual, irrespective of age and gender, who is a resident can voluntarily enrol to obtain a Aadhaar number. The residents have to provide minimal demographic and biometric information to sign up which is absolutely free of cost. The uniqueness is achieved through the process of demographic and biometric data. India Post Payments Bank had introduced the Aadhaar Enabled Payment System (AePS) Services in Sept 2019. With AEPS any one with a bank account linked to their Aadhaar number can make cash withdrawals and balance enquiry regardless of their Bank. They can simply authenticate their identity with a fingerprint scan & Aadhaar authentication details to complete a transaction. AEPS is able to achieve low-cost cash delivery to the doorstep of various sections of
Read more