Hackers earn $54m from just ten security flaws

Hackers have earned more than $54 million in bounties by leveraging ten of the most impactful security vulnerabilities.

That's according to cybersecurity firm HackerOne, which has published research based on more than 120,000 security vulnerabilities reported by hackers across 1,400 customer programmes.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

It claimed that the data represents real-world risks that existed in organisations, including technology start-ups, governments, start-ups, financial institutions and open-source projects.

Coinciding with the research, HackerOne has launched an interactive website that shows the vulnerability types with the highest severity scores.

HackerOne's Top 10 security vulnerabilities are:

1. Cross-site Scripting - All Types (dom, reflected, stored, generic);

2. Improper Authentication - Generic;

3. Information Disclosure;

4. Privilege Escalation;

5. SQL Injection;

6. Code Injection;

7. Server-Side Request Forgery (SSRF);

8. Insecure Direct Object Reference (IDOR);

   
   
   
   
   

9. Improper Access Control - Generic;

10. Cross-Site Request Forgery (CSRF).

Elsewhere, the company found that large-scale migration to the cloud has resulted in increased risks from vulnerabilities such as server-side request forgery.

In addition, information disclosure threats are still common despite growing attention on user privacy; and highly impactful vulnerabilities such as SSRF, IDOR, and privilege escalation remain hard to find, but are the most valuable to bounty hackers.

Miju Han from HackerOne, said that the firm had seen a 40 per cent crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. "Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists," said Han.

There were nearly three times as many high severity bugs reported as critical severity bugs

He continued: "Both assets will be able to help security teams identify the top risks. Our research also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers."

Han added that when examining the cumulative total of bounties paid for critical and high severity bugs, the amount is more than 60 per cent of all bounties paid.

"Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity bugs," continued the researcher.

"At the opposite end, low severity reports accounted for just eight per cent of the bounty total, yet made up nearly 30 per cent of the reported volume.

"We are fortunate to have such a comprehensive data set that allows us to share with our customers and the industry which vulnerabilities are likely to be the most expensive."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers. 

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer. 

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.

Comments are closed.