Slashdot Mirror
Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com)
Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to."
An anonymous reader quotes Threatpost:
The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.
"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."
"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."
How long have the Russians known about this, and what have they done with it?
Posting anonymously for reasons.
The US army has competent personnel - very little of what goes on at Ft. Huachuca is public, the army ITOC has always been a good place for zero day exploits, and there's a small army of civilian contractors at places (Aberdeen and others) that do some interesting things.
Here's the thing: When an army grey hat / white hat discovers something interesting, or creates something interesting, they don't get PERSONAL credit - they don't go hack a database, or deface a website and splay their name and try making the news. You don't hear about them. The image of "solo rogue hacker" is out of a 90s movie, and most people classifying themselves as such - in need of a classification or identification - are script kiddies. We have shops. They have shops. It doesn't do anyone good for everyone to be talking about them.
But don't kid yourself that there's no talent - or that this fun PR event was the summation of assembled talent.