🐝 Hive Five 97 – Email Graffiti, The anatomy of a MP4 file, and Learning lockpicking while blind, divergent, and more

Hi friends,

Greetings from the hive!

I hope you had a wonderful weekend and to those celebrating, a nice Thanksgiving.

The recent Mastodon exodus made me look for a way to cross-post to Twitter, and vice versa. This led me to Moa. I’ve only used it for a couple of hours, but so far, so good.

What have you automated lately?

Let's take this week by swarm!

🐝 The Bee's Knees

1. So, you want to get into bug bounties? Shubs, a 10 year bug bounty veteran, genuinely believes that hard work and a dedication to learning will lead you to success in bug bounties. more

2. Corben Leo hacked a phone company earlier last year. He found a stupidly simple way to view the call logs of 50M customers. more

3. Email Graffiti: hacking old email. Not long ago security researchers found they could take over old tweets that linked to links that don’t work anymore. Did you know you can do the same thing with email? more | blog

4. Learning Lockpicking while Blind, Divergent, and More. more

5. Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs - Specifying the Host: header results in unpredictable behaviour. more

️💪 Sponsor

Want me to write about your company? Sponsor the Hive Five.

🔥 Buzzworthy

✅ Changelog

1. j3ssie/metabigor v1.2.3: OSINT tools and more but without API keys. more

2. danielmiessler/SecLists release 2022.4: the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. more

📅 Events

1. TomNomNom is speaking at NahamCon2022EU on December 17. more

2. hakluke is doing a talk at IWCon 2022 about how he identified a prolific IRL scammer using OSINT techniques at December 17-18. more

3. Looking for an opportunity to demonstrate your skills with Burp Suite? Complete the challenges by 31 December 2022 for chances to prove your skills, win swag, and a Burp Suite Certified Practitioner exam credit. more

🎉 Celebrate

1. Mastering Burp Suite Pro has 12,000 followers. Congrats! more

2. The Bug Bounty Québec event by ramsexy was a huge success. Love it! more

3. Farah Hawa unlocked a full circle moment speaking at her old school, addressing over 400 girls about cybersecurity and bug bounties. Nice one! more

💰 Career

1. The Paranoids at Yahoo are hiring for Incident Response intern program (Summer 2023). more

⚡️ Community

1. d0nut's last three streams have been good. Welcome back! more

2. STÖK removed all monetization. more

3. Here's why you need HackerContent. more

📰 Read

1. hipotermia struck back at a phishing campaign. more

2. Hacking in the Cloud - Cloudgoat: ec2_ssrf. Starting off as a low-privileged user, a misconfiguration in the Lambda service made lateral movement to a user with EC2 access was possible. more

3. CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You. more

4. Remote Command Execution in a Bank Server. more

5. Remote Code Execution in Spotify’s Backstage via vm2 Sandbox Escape (CVSS Score of 9.8). The Oxeye research team has been able to gain remote code execution in Spotify’s open source, CNCF-incubated project—Backstage, by exploiting a VM sandbox escape through the vm2 third-party library. more

📚 Resources

1. The anatomy of a MP4 file. more

2. Search Evasion Techniques aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. more

3. Using stylometry to find HackerNews users with alternate accounts. more

🎥 Watch

1. A New HOPE (2022) - ActivityPub Four Years Later: The Good, the Bad, and the Fedi. more

2. HackTheBox - RedPanda walkthrough. more

3. Most important security lessons of 2022 for more

4. Discover Publicly Exposed Cloud Resources in AWS. One of the biggest concerns over the use of cloud services is the potential risk of exposing data and resources publicly. more

5. Can You Spot The Vulnerability? Cross-site WebSocket Hijacking. more

🎵 Listen

1. DAY[0] 170 - Hacking Pixel Bootloaders and Injecting Bugs. more

2. DAY[0] 169 - Racing Grafana, Stealing Mastadon Passwords, and Cross-Site Tracing. This week has the return of cross-site tracing, HTML injection, a golang specific vulnerable code pattern, and a fun case-sensitivity auth bypass. more

3. Smashing Security 299 - EV charging risks, FTX, and an ancient apocalypse. more

4. Malicious Life - Jailbreaking Tractors. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have **every cloud resource you need** at an affordable price.

Subscribe to Premium to read the rest.