Uncle Sam bug bounty program proves SNAFU, therefore declared success
Beads of sweat must have surely run down the face of one hacker as they inadvertently breached an internal US Department of Defence “website that requires special credentials to access” in a bid to score bug bounty cash.
The unnamed hacker used twin chained vulnerabilities to gain access to the Army network via an unpatched site and a misconfigured proxy.
The launching point goarmy.com was used to find an open proxy that lead the hacker to the acess-controlled internal DoD properties.
Defence quickly patched the flaw after it was reported through the Hack the Army bug bounty that ran from November to December 21, 2016, the Amry says
“They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system,” Hack the Army staffers say.
“On its own, neither vulnerability is particularly interesting, but when you pair them together, it’s actually very serious.”
The Army remediation team and the Army Cyber Protection Brigade patched the bugs breaking the attack chain and preventing exploits.
It says the first bug, one of 118 eligible reports, was discovered five minutes after the program was launched.
The agency paid out some US$100,000 in bug bounty rewards.
Of the 371 participants, 25 were employed by the state and 17 by the Army.
The US Army indicated it may be launching another bounty or similar service due to the success of its November venture.
There is no word on whether the chained vector was used to breached the Army previously.
Defence has been asked for comment. ®
Sponsored: Customer Identity and Access Management