Will pay you $10,000+ for mind boggling exploits.
If you want to get rich quick and have some deep understanding on how web browsers work and more importantly, how to exploit them, then good news as Mozilla has just announced that they too will be paying money for discovering various security vulnerabilities.
As a result, updated Client Bug Bounty Program will reward anyone if they create or report a:
Plain text is not a way to go.
Just over a year ago, Alibaba has acquired UCWeb, a company behind UC Browser, which has a mind boggling user base of 500 million and more than 100 million active daily users.
However, as it turns out, there is a pretty serious “flaw” (or lazy design), which would allow anyone to identify your phone number, search queries, location and the device itself. What do we mean by saying lazy design? Well, it’s not exactly a security vulnerability as the only issue with UC Browser is that it does not encrypt traffic, which could allow your network operator or in-path actor on the network to access your data.
You know how you visit a web page only to see 4 different “download” links and being confused on which one is real? Well… Good news for pretty much every single person out there. Starting from June 1st, Microsoft’s SmartScreen Filter (for Internet Explorer and Edge) will become much smarter and better at protecting the users.
According to the software giant, Microsoft will start reporting these ads as unsafe when users goes ahead and clicks on any of those. Thanks to the updated guidelines, here is what ads should not do in order to be marked as safe by the SmartScreen Filter:
Get your debuggers going.
It looks like Microsoft has finally decided to borrow one of the Google’s ideas: rewards for finding serious web browser bugs.
While the rewards program is not exactly new in the software giant campus, those who wanted to do some serious debugging for the Project Spartan will finally be rewarded the right way: up to $15,000 for a security vulnerability.
The bad news? The clock is ticking and this is not exactly a campaign for a lifetime. Instead, the Project Spartan Bug Bounty will end on June 22, 2015.
Grab it now.
In an effort to protect its users privacy, the developers of Firefox web browser have made some serious changes that will allow to encrypt non https (http://) traffic.
How is that even possible? You can thank opportunistic encryption, a technique, which encrypts the communication when connecting to another system. As a result, Firefox will route HTTP (port 80) requests that are usually sent in the cleartext to a port of server administrator’s choice. In addition to that, users won’t experience any delays as connections will be fully established before they are even used.
Ad agencies rejoice.
Remember when Microsoft was all pro consumer, pro privacy and all that? Resulting in praises from various companies and users after it was decided to enable Do Not Track (DNT) by default in both IE10 and IE11?
Well, the good news are over as Microsoft has just changed its mind and won’t be enabling such feature by default.
Why? The recent W3C draft update now includes the following: “The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed”
Sneaky ad injecting extensions is a no go.
Good news for users and bad for developers, thanks to a recent crackdown by Google, the search giant has identified and removed a total of 192 Google Chrome extensions that have been injecting ads to millions of users.
As it turns out, more than 5% of all people that have visited Google sites have had at least one ad injector installed and all in all, it has affected a total of 14 million users.
A total of $442,000 paid in bounties to all contestants.
Well, it seems like no one was safe in this year’s Pwn2Own hacking competition as all 4 major web browsers have failed to protect the users.
The star of this contest however was Jung Hoon Lee (lokihardt) who has managed to reap $225,000 in rewards, breaking through Chrome’s security with a buffer overflow (which earned him $110,000) and then exploiting Microsoft’s Internet Explorer ($65,000 in rewards), followed by Apple’s Safari ($50,000 in rewards).
That should be enough to improve his life for good.
Now here’s something that should definitely concern you. According to the recent report, there is a way to reveal typed in passwords in the Internet Explorer 11 (on Windows Phone 8).
All you have to do is:
- Enable Cortana if not yet enabled
- Type the password
- Highlight the password (we’re talking about ******) and then hit the search button
- Congratulations, you are now seeing a supposedly hidden password
Apple tops the OS chart.
In the recently published study by GFI, which took a database of vulnerabilities that were published in 2014 and created a chart that makes sense, it looks like Microsoft‘s Internet Explorer still has a long way to go until it‘s no longer the most vulnerable web browser out there.
As you can see in the chart below, the top application by vulnerabilities reported in 2014 was indeed Internet Explorer (242), followed by Google Chrome (124) and Firefox (117).