Are you aware of fake clickjacking bug bounty reports? If not,
you should be. This article will get you up to speed and help you
to stay alert.
What are clickjacking bug bounty reports?
If we start by breaking up the term into its component parts, a
bug bounty is a program offered by an organization, in which
individuals are rewarded for finding and reporting software bugs.
These programs are often used by companies as a cost-effective way
to find and fix software vulnerabilities, thereby improving the
security of their products. They also help to build goodwill with
the security community.
For the bounty hunters (or white hat hackers), they have an
opportunity to earn money and recognition for their skills.
Clickjacking is a malicious technique used to trick users into
clicking on something that they think is safe, but is actually
harmful. For example, a hacker could create a fake button that
looks like the “like” button on a social media site. When users
click on it, they may unknowingly like a page or post harmful
content. While this may seem like a harmless prank, clickjacking
can be used for more malicious purposes, such as infecting a user’s
computer with malware or stealing sensitive information.
Given the potential damage, clickjacking can cause, big bounties
that report cases of it can be very beneficial to an
organization.
My company doesn’t offer bug bounties. Does it need
to?
As a bug bounty report can bring financial benefits to both the
bounty hunter and the organization, the former will often not wait
for an invite to hunt for bugs and will take a more proactive
approach. This means you could be sent bounty reports even if you
don’t have a formal bug bounty program in place. This practice –
where a report comes unsolicited with a request for money – is
often referred to as a “beg bounty”.
So what’s the problem?
There is a growing trend in fake bug bounty reports because
individuals are using scanning tools to generate “issues” and then
flagging them to as many organizations as possible without
consideration of the real risk.
While some will look fake, other reports may be sophisticated
enough to con an organization out of thousands of dollars. And by
falling victim, you don’t just pay a reward that is undeserved; you
also show the bounty hunter that you have limited security
expertise – a weakness they are highly likely to come back and
exploit.
Of course, shutting the doors and ignoring all bug bounty
reports is not the answer. There are genuinely good people out
there who are trying to help, and their discovery may just save
your business a lot of grief and expense.
So just how do you know if a bug bounty report is genuine,
particularly if you’re not a security professional or don’t have a
security team in place?
How to identify a fake clickjacking bug bounty
report?
When such reports from people positioning themselves as security
experts appear, it can be hard to determine what is real and what
is fake but there are companies that can conduct reviews of bug
bounty reports to give you that peace of mind. This is offered by
certain vulnerability scanning providers, who as part of their
service, will also run a continuous watch over your systems to
identify, analyse, and remediate critical vulnerabilities
faster.
Intruder[1], which offers such a
service and has been helping clients uncover fake clickjacking bug
bounty reports for years, has seen an increase in cases recently.
Just a few weeks ago, one of its Vanguard[2]
customers was notified of an anonymous “vulnerability report.” The
reporter claimed to be able to bypass their clickjacking
protections using some publicly available JavaScript, but thanks to
the Vanguard team’s in-depth knowledge of the client’s systems, it
was able to write off the report as fake very quickly.
There are also a few things you can look out for to spot a fake
report yourself:
- Relevancy to your situation. If it’s a high-quality bug bounty
report, it will refer to a system, page or program your
organization uses and be specific in its detail. - Explanation of impact. A genuine bug bounty hunter will have
put in the effort for their reward and will be able to demonstrate
that the vulnerability they have found is more costly to you than
their “fee.” The more information they can provide on the impact of
the vulnerability both in terms of size and implications to your
website and organisation, the better. - Structure of report. Someone running a mass mail out of fake
bug bounty reports is very likely to use a template for their
reporting and may use generic terms that are irrelevant to your
business. - Terms of payment. If a bounty hunter asks for payment upfront
without providing any details of their findings, this is a red
flag. You can either respond by saying you can’t offer a bounty
without seeing the report first, and see if they respond, or you
can get the help of an expert such as Intruder who will advise on
the best course of action. - Adherence to your policies. Look at setting up a specified
security mailbox and introduce a policy via a security.txt
file[3] that states you shall
only review bounty reports sent to that address. - Copycats. Another good way of identifying a beg bounty is to
look for instances online where other companies are receiving the
same reports. A genuine bug bounty report will be unique to your
systems and situation.
Falling victim to a fake bug bounty report could lose you money
and set you up for an onslaught of further fake reports, or worse,
attacks, in the future. Avoid such problems by having continuous
automated scanning and a team of expert security professionals at
your side, from a company like Intruder[4]. Its ability to probe
deeper and validate potential weaknesses could have a huge impact
on your business.
References
Read more https://thehackernews.com/2022/05/fake-clickjacking-bug-bounty-reports.html