Are you aware of fake clickjacking bug bounty reports? If not, you should be. This article will get you up to speed and help you to stay alert.
If we start by breaking up the term into its component parts, a bug bounty is a program offered by an organization, in which individuals are rewarded for finding and reporting software bugs. These programs are often used by companies as a cost-effective way to find and fix software vulnerabilities, thereby improving the security of their products. They also help to build goodwill with the security community.
For the bounty hunters (or white hat hackers), they have an opportunity to earn money and recognition for their skills.
Clickjacking is a malicious technique used to trick users into clicking on something that they think is safe, but is actually harmful. For example, a hacker could create a fake button that looks like the “like” button on a social media site. When users click on it, they may unknowingly like a page or post harmful content. While this may seem like a harmless prank, clickjacking can be used for more malicious purposes, such as infecting a user’s computer with malware or stealing sensitive information.
Given the potential damage, clickjacking can cause, big bounties that report cases of it can be very beneficial to an organization.
As a bug bounty report can bring financial benefits to both the bounty hunter and the organization, the former will often not wait for an invite to hunt for bugs and will take a more proactive approach. This means you could be sent bounty reports even if you don’t have a formal bug bounty program in place. This practice – where a report comes unsolicited with a request for money – is often referred to as a “beg bounty”.
There is a growing trend in fake bug bounty reports because individuals are using scanning tools to generate “issues” and then flagging them to as many organizations as possible without consideration of the real risk.
While some will look fake, other reports may be sophisticated enough to con an organization out of thousands of dollars. And by falling victim, you don’t just pay a reward that is undeserved; you also show the bounty hunter that you have limited security expertise – a weakness they are highly likely to come back and exploit.
Of course, shutting the doors and ignoring all bug bounty reports is not the answer. There are genuinely good people out there who are trying to help, and their discovery may just save your business a lot of grief and expense.
So just how do you know if a bug bounty report is genuine, particularly if you’re not a security professional or don’t have a security team in place?
When such reports from people positioning themselves as security experts appear, it can be hard to determine what is real and what is fake but there are companies that can conduct reviews of bug bounty reports to give you that peace of mind. This is offered by certain vulnerability scanning providers, who as part of their service, will also run a continuous watch over your systems to identify, analyse, and remediate critical vulnerabilities faster.
Intruder, which offers such a service and has been helping clients uncover fake clickjacking bug bounty reports for years, has seen an increase in cases recently. Just a few weeks ago, one of its Vanguard customers was notified of an anonymous “vulnerability report.” The reporter claimed to be able to bypass their clickjacking protections using some publicly available JavaScript, but thanks to the Vanguard team’s in-depth knowledge of the client’s systems, it was able to write off the report as fake very quickly.
There are also a few things you can look out for to spot a fake report yourself:
Falling victim to a fake bug bounty report could lose you money and set you up for an onslaught of further fake reports, or worse, attacks, in the future. Avoid such problems by having continuous automated scanning and a team of expert security professionals at your side, from a company like Intruder. Its ability to probe deeper and validate potential weaknesses could have a huge impact on your business.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.