BLACK HAT Dylan Ayrey, a bug hunter and CEO of Truffle Security, discovered a big data company credential dump containing personal information belonging to about 50,000 of its users, and still hasn’t fixed it.
This happened while he was researching cross-site scripting (XXS) vulnerabilities, and through the disclosure and reporting process, this data passed through several third-party systems.The bug bounty platform, XXS Hunter and Gmail, among them, not to mention his own hard drive and backups.
Turns out the FAANG (Facebook, Amazon, Apple, Netflix and Google in the pre-Alphabet days) biz never disclosed the dump, and Ayrey and the third parties still have access to the sensitive data.
Ayrey detailed this bug hunting expedition onstage at the Black Hat conference in Las Vegas, and the punch line is that this isn’t an isolated experience. There’s a ton of personal data stored on researchers’ laptops and bug bounty platforms, some of which don’t require multi-factor authentication …
Source: Healthcareitnews.com and Read More
