Bug Bounty Bulletin #10

Insights, inspiration and hunting opportunities for ethical hackers

Welcome to the tenth edition of YesWeHack’s Bug Bounty Bulletin – comprising new hunting opportunities ?? CTF challenges ?? research roundup ?? plus technical advice and inspiration for ethical hackers ?? ??

The captivating tale of the exploit that leaked the email of any YouTube user has variously been described as “very inspiring”, “ well written” and “another example of why deprecated tools need to be disconnected or segregated to a sub platform with no sensitive data.” ‘Skull’, a Singapore-based hunter, netted a $10,000 Bug Bounty payout for his efforts. Documented in a PoC video below, the exploit chain was also praised by PortSwigger’s James Kettle, who loved “the use of a DoS flaw to make the attack stealthier!” ???

It’s hard to follow such an impressive exploit in the world’s second most popular website (after google.com), but a buffer over-read vulnerability in the Great Wall of China’s DNS injection subsystem is a worthy effort, no? Documented by researchers from GFW Report, a censorship monitoring platform, the ‘Wallbleed’ bug “caused certain nation-wide censorship middleboxes to reveal up to 125 bytes of their memory when censoring a crafted DNS query”. The researchers used a novel side channel to monitor injector processes, reverse-engineered the injector’s parsing logic and assessed the leaked information’s impact on users, among other things. The research “afforded a rare insight into one of the Great Firewall’s well-known network attacks, namely DNS injection, in terms of its internal architecture and the censor’s operational behaviors,” wrote the research team. ????

Bug Bounty hunters often alternate between feast and famine when it comes to unearthing vulnerabilities, says Italian hacker Leo in a new interview on our YouTube channel. Watch the video below to see Leo – hacker alias ‘Leorac’ – also reflect on the changes he’s witnessed in our digital ecosystem over the past 20 years, and offers some tips to up-and-coming hacking talents. ????

Back to notable security research from the past month and we have a third target of enormous significance in the form of LTE/5G core infrastructure. Specifically, researchers from the Florida Institute for Cybersecurity Research discovered 119 vulnerabilities that could potentially have resulted in persistent denial of cell service to an entire metropolitan area or city. Moreover, asserted the researchers, some security flaws could have been abused to remotely compromise and access the cellular core. The researchers found vulnerabilities in all seven LTE implementations and all three 5G implementations that they tested. ??

It’s a double header for hunter interviews this month, with our second featured hacker, Gregxsunday, recounting his surprise about the impact of increasingly secure development practices on the number and discoverability of vulnerabilities out in the wild. For those unfamiliar with the Polish ethical hacker, he documents his impressive exploits on his hugely popular YouTube channel, Bug Bounty Reports Explained – it’s definitely work checking out. ????

Like Gregxsunday, we try and do our bit to inspire and educate aspiring and inexperienced hunters. To this end, we’re publishing how-to guides to learning the most foundational hacking skills. Most recently this includes article #2 in our recon series, on subdomain enumeration, which explains various active and passive techniques, supported by examples performed on a real public Bug Bounty Program. We’ve also recently published an ultimate guide to cross-site scripting (XSS), which examines how to detect and exploit common variants of this pervasive bug type, from reflected to blind vulnerabilities. ???

Talkie Pwnii time now. The fourth instalment revisits the 39th monthly Dojo challenge, ‘Phishing’. Pwnii (aka pwnwithlove) walks us through the solution, which involves mounting a homographic attack using punycode, as well as explaining why NodeJS’ VM module sandboxes aren’t as secure as they might seem.? Kudos to the overall winners of the phishing challenge by the way: Sto, MerleSurLeToit and thepotata. Check out the best writeup here. ???

The hunter community is making short work of our Hunter’s Bucket List targets, with only four items left to go. Congratulations to HakuPiku for unlocking the latest achievement, and winning himself a six-month voucher for Caido Pro and an exclusive swag pack, via an OS command injection report accepted on a public program. ????

Finally on the YesWeHack community front, congratulations to Xel for climbing into second place on our all-time leaderboard. The top two for 2025 so far precisely mirrors the all-time leaderboard (rabhi and Xel), while Noam (all time #13) sits in third, Xavoppa is a rising star in fourth (only joined YesWeHack in 2024) and c14dd49h occupies fifth spot (all time #20). ??

Hack-tips video roundup

The title ‘BurpSuite’s best feature – but no one uses it!’ is pure catnip to hackers given the popularity of Burp, but the strength of the content backs up the tantalising promise of the video title. Kicking off our inaugural roundup of advice videos from around the web (well, YouTube), this 15-minute tutorial demonstrates how to use this feature step-by-step on a target to accelerate your bug hunt. ??

In video #2, Ben ‘NahamSec’ Sadeghipour shares a “proven framework” for consistently finding high-impact bugs, one that is accumulating traffic and likes at a rapid clip. Among other insights, the legendary hacker and keynote speaker explains why relying on tools alone isn’t enough, how to choose targets wisely, and how to streamline your hacking workflow for maximum results. ??

Finally, NahamSec also stars in this 17-minute tutorial by the UnixGuy channel, with host Ben R Truong turning to the hacker to help him outline a practical roadmap for aspiring bug bounty hunters in 2025. ??

Before we conclude with upcoming events that YesWeHack will attend, we’ve spotted several other pieces of notable InfoSec content over the past month:

?? Hacking high-profile Bug Bounty targets: deep dive into a client-side chain – research by Vitor Falcao

?? Nginx/Apache path confusion to auth bypass in PAN-OS (CVE-2025-0108) – research by Adam Kues

?? Hacking a software supply chain to achieve RCE on developers, pipelines and production servers for a $50k bounty – research by Roni ‘Lupin’ Carta and Snorlhax

?? Shadow Repeater: AI-powered variation testing on Burp – Gareth Heyes unveils PortSwigger’s latest tool

?? How to find more IDORs – bug-hunting advice from verylazytech

Event horizon

Three upcoming events to highlight if you want to meet the YesWeHack team (and get some free swag!): Next IT Security (13 March; Stockholm, Sweden), BreizhCTF (14-15 March; Rennes, France), and InCyber Forum Europe (1-3 April; Lille, France). And that’s about it for this month… happy hacking! ??

PS. Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

PPS. This isn’t the only way to keep track of YesWeHack content, hacking competitions and hunting opportunities! You can also follow us on X/Twitter and LinkedIn.

?