“What UGWST (Talaria) reported to MetaMask was that, under certain circumstances, they could get the MetaMask extension to run in an iframe. They illustrated that a bad actor could harness certain resources made web-accessible by the MetaMask extension to do so.“
The essential technique at play in this vulnerability consists of concealing the fact that MetaMask is open, and that the user is in fact clicking on it. In this scenario, the user is directed to a webpage, let’s say an in-browser video game. The page loads, and the user has to click on a number of buttons in order to set up the game and begin playing it. The user clicks through these prompts, not realizing that the video game has, imposed over top of it, their MetaMask extension, open in an iframe with the opacity set to zero: and rather than clicking on prompts in a video game, they are clicking through prompts in MetaMask to send their crypto-assets to a malicious actor.
Kraken, a prominent cryptocurrency exchange, experienced a front-end vulnerability that resulted in multiple Cross-Site Scripting injections on its main domain. These vulnerabilities, which have since been effectively addressed and resolved, allowed malicious actors to inject and execute unauthorized code within the exchange's front-end interface. Kraken promptly took action to patch these vulnerabilities, ensuring the security and integrity of its platform.Severity: High Reward: $35,000
SushiSwap, a decentralized exchange (DEX) platform, addressed and resolved a critical vulnerability on its main domain. This vulnerability, which cannot be disclosed in detail due to confidentiality restrictions, was promptly identified and thoroughly investigated. The SushiSwap development team, in collaboration with the UGWST (Talaria) team, swiftly patched the vulnerability to ensure the continued security and integrity of the platform.Severity: Critical Reward: $50,000
UGWST (Talaria) has identified a critical severity vulnerability within the Evmos protocol application. The nature of this vulnerability has been addressed and all necessary patches have been implemented. Due to the confidential nature of the details, further information regarding the specifics of the vulnerability cannot be disclosed.Severity: Critical Reward: $30,000
“The vulnerability has been patched for all reported domains in 5.25 hours after receiving the report, and based on url access logs no user have been affected.“
Malicious code injection potentially allowed attacker to change the page contents & hijack user input on Lido-owned domain. That makes the vulnerability of critical impact, as attacker could craft the specific link to, say, stake.lido.fi, so the users following that link would be sending funds to attacker’s wallet instead of Lido staking contracts. Another high-impact attack vector example would be preparing a link adding “share your seed phrase” form to lido.fi landing page.
A previously identified vulnerability on the subdomain of the GMX DEX platform allowed unauthorized interaction with web3 wallets. This flaw, which has been addressed and patched, enabled potential access to wallet functionalities that were intended to be restricted. GMX promptly acknowledged the issue and generously rewarded us for the out-of-scope submission. Please note that further details regarding this vulnerability cannot be disclosed.Severity: Critical Reward: $20,000
An impactful vulnerability in the Wormhole Protocol in an out-of-scope subdomain was identified and reported by the UGWST (Talaria) team. This vulnerability was of high severity, enabling malicious activity. Upon UGWST's thorough disclosure, immediate corrective actions were taken by the Wormhole security team, and the vulnerability has been completely addressed and patched.Severity: High Reward: $10,000
It was possible to construct a Steam URL that began with "/tradeoffer/new" and included valid partner and token information, but which was in fact an external link. The crafted URL would be treated by the Steam Chat UI as a trade offer and given special visual treatment.Severity: Medium Reward: $750
An attacker can craft a malicious page and URL so that the user is tricked into using passbolt to autofill some credentials on the wrong domain.
Prior to v2.11.2 Passbolt Extension an attacker, for example, could create a page with the following url: https://attacker.com/?https://valid-domain.com&https://valid-domain2.com Passbolt would wrongfully suggest the valid domain as part of the suggestions of credentials that could be used on the given url.
A Reflected XSS vulnerability that could be chained to a Stored XSS attack in the Invision Community forums software used by PUBG.
Invision Community fixed this issue in release 18.104.22.168 https://invisioncommunity.com/release-notes/4491-r91/
PUBG has upgraded to the latest version which resolved the issue for our installation.
A critical severity report was submitted to Oracle regarding a vulnerability in their Business Intelligence Enterprise Edition, identified as CVE-2020-14815. Although specific details about the issue cannot be disclosed, it is important to note that the vulnerability has been patched.Severity: Critical Reward: $0
Due to an ongoing non-disclosure agreement (NDA), detailed information regarding a security vulnerability cannot currently be shared. However, we are pleased to announce that a bounty amount has been allocated for this vulnerability. Please note that these limitations may change in the future, and we will provide additional information as it becomes available.Severity: High Reward: $20,000
Due to an ongoing non-disclosure agreement (NDA), detailed information regarding a security vulnerability cannot currently be shared. However, we are pleased to announce that a bounty amount has been allocated for this vulnerability. Please note that these limitations may change in the future, and we will provide additional information as it becomes available.Severity: High Reward: $8,000
Due to an ongoing non-disclosure agreement (NDA), detailed information regarding a security vulnerability cannot currently be shared. However, we are pleased to announce that a bounty amount has been allocated for this vulnerability. Please note that these limitations may change in the future, and we will provide additional information as it becomes available.Severity: Critical Reward: $10,000
OpenSea's security team promptly identified and remediated all reported vulnerabilities to ensure the protection of user data and maintain the integrity of the marketplace. By implementing comprehensive security measures, OpenSea has successfully patched these vulnerabilities and fortified the platform against potential attacks.
While specific details of the vulnerabilities cannot be disclosed for security reasons, users can rest assured that OpenSea has undertaken the necessary steps to safeguard their assets. OpenSea remains committed to providing a secure and trustworthy environment for users to buy, sell, and trade NFTs.
Coinbase, experienced a series of vulnerabilities across multiple domains and its mobile application. These vulnerabilities, which have since been addressed and patched, posed potential security risks to users and their digital assets. Coinbase swiftly responded to these vulnerabilities, employing rigorous security measures to protect user information and assets.Severity: High, Critical Reward: $155,000
A critical vulnerability was identified and successfully addressed on the RainbowBridge decentralized exchange. This vulnerability, which has been remediated, posed a significant risk to the platform's security and functionality. The Aurora team promptly addressed the issue, implementing necessary patches to ensure the protection of user funds and the integrity of the platform.Severity: Critical Reward: $50,000
A significant security flaw was identified and promptly resolved on the LooksRare NFT platform, enabling unauthorized web3 wallet access. Due to confidentiality restrictions, specific details regarding the vulnerability cannot be disclosed. However, it is important to note that immediate action was taken to patch the issue.Severity: Critical Reward: $60,000
A security flaw in the MakerDAO voting platform enabled the injection of cross-site scripting, allowing unauthorized access to web3 wallets. Through this vulnerability, attackers were able to manipulate voting outcomes and potentially compromise user funds. However, the MakerDAO team swiftly identified and addressed the issue, implementing patches that effectively mitigated the risk. The platform now operates securely.Severity: Critical Reward: $50,000
In compliance with security protocols, details of a significant flaw discovered in the BendDAO NFT marketplace cannot be disclosed. The critical vulnerability, which had the potential to compromise platform integrity and user assets, has been duly patched.Severity: Critical Reward: $20,000
CVE-2020-3866, a severe vulnerability was identified in Apple's macOS that could have significant implications if exploited. This flaw pertained to the bypassing of Gatekeeper, macOS's security feature, during the process of searching for and opening files from a Network File System (NFS) mount under the control of an attacker. The successful exploitation could have allowed unauthorized code execution, thereby breaching the system's security. However, this issue has now been entirely resolved by Apple through subsequent security patches, ensuring the continued safety and integrity of macOS systems.Severity: Critical Reward: $28,000
Through a logic error in file name parsing, it was possible for a malicious actor to send a specially crafted zip file to a target user, which when opened in the MAC App would execute any application or executable in ~/Downloads. Furthermore, we discovered two ways to bypass the file upload restrictions where we could send any file extension to users, for example .terminal files. Using both logic errors, it was possible for an attacker to send a malicious executable, and then a malformed zipped file to execute the previous executable bypassing all file transfer restrictions and gaining code execution on unsuspecting users.Severity: High Reward: $3,500
In an exclusive interview, Reddit's CISO and VP of Trust, Allison Miller, along with the resident Security Wizard, Spencer Koch, and Reddit's top hacker, René Kroka, representing the UGWST (Talaria) team, shared their insights. This article provides a comprehensive account of Reddit's bug bounty achievements, their objectives and measurable outcomes, their innovative approach of leveraging hackers to enhance security in software development, and offers a fascinating glimpse into the experience of hacking one of the world's foremost social networks.Severity: Low, Medium, High, Critical Reward: $84,000
A high severity Stored Cross-Site Scripting vulnerability was discovered in Microsoft Teams. Although specific details regarding the vulnerability cannot be disclosed, it is important to note that the issue has been addressed by the Microsoft security team.Severity: High Reward: $14,000
A critical severity report was submitted to IBM regarding two instances of XML External Entity Injection (XXE) vulnerabilities. The first vulnerability, labeled CVE-2019-4433, was found in IBM Infosphere GNM. The second vulnerability, labeled CVE-2019-4062, was identified in IBM i2 Analyst's Notebook. Due to security concerns, detailed information about the vulnerabilities cannot be disclosed. However, it is worth noting that the vulnerabilities have been addressed and patched by IBM.Severity: Critical Reward: $0