News

1/23/2017
09:20 AM
50%
50%

US Army Bug Bounty Program Fixes 118 Flaws

The Hack the Army program, sponsored by the US Army, received 400 bug reports and paid more than $100,000 to hackers who found 118 unique bugs.

Hack the Army, a bug bounty program launched by the US Army in November, received more than 400 bug reports in its three-week trial. Of these, 118 bugs were unique and could be fixed, reports Threatpost. White hat hackers and government employees were among 371 participants in the program, which paid upwards of $100,000.

"We recognize we cannot continue to do business the way that we are, and that we're not agile enough to keep up with things that are happening in the tech world," former Army Secretary Eric Fanning said while launching the program. "There are people all over the world trying to get access to our sites, our data, our information," he added.  

One of the concerns involved goarmy.com. The website had two bugs that could be used in tandem to access the internal Department of Defense website sans password, due to poor routing security and a vulnerability within the system.

"On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious," explained HackerOne, the platform for Hack the Army and Hack the Pentagon, an earlier government bug bounty program.

Read details on Threatpost.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1480
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user sessi...
CVE-2018-1481
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 140763.
CVE-2018-1484
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent...
CVE-2018-1485
PUBLISHED: 2018-12-12
IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 140970.
CVE-2018-1901
PUBLISHED: 2018-12-12
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used. IBM X-Force ID: 152530.