API Security Testing for Dummies [Free eBook]
Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies.
Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back.
Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back.
Bug Hunting !
Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps.
He logged in his Etsy account from iPhone and Burp Suite proxy captured the requests with respective username & password , which was actually sent in clear text.
Mohamed already reported the issue to Etsy Security Team and they confirmed it. Because the findings are eligible to bug bounty, finally he was rewarded with 750 USD. He name also listed on Etsy as Whitehat hackers.
Readers can download Video of Demonstration here.
➤ Read Latest Stories
Check Out These Free Cybersecurity Resources
Securely Integrate Open Source Into Your Software Supply Chain
Earn a Master's in Cybersecurity Risk Management
Exclusive Cybersecurity Deals
🔥 Learn Professional Hacking
10 courses + 1,236 lessons on latest techniques, forensics, malware analysis, network security and programming.
➤ Access Online Training Courses
🔥 Cybersecurity Certification Training
Get 1-year access to 108 hours of instruction on globally-recognized CISA, CISM, CISSP, PMI-RMP, and COBIT 5 certifications.
➤ Access Online Training Courses
📰 News Stories from 15 Dec, 2012