Security BSides London 2019, Jamie O'Hare's 'Bug Bounties: Crowdsourcing Nosey Bastards' →
Instagram 2FA Bypass, A Tale of Superlative Bug Hunting Skills & Indolent Multi-Factor Authentication
Via Tara Seals writing at the Threatpost Blog, detailing the highly competent bug hunting skill set of Laxman Muthiyah, examining - if you will - the lackadaisical 2FA data flow promulgated by Facebook, Inc. (Nasdaq: FB) on the company's owned Instagram.
"Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, which involves a user receiving a six-digit passcode to their mobile number for two-factor account authentication (2FA). So, with six digits that means there are 1 million possible combinations of digits making up the codes." - Via Tara Seals writing at the Threatpost Blog
DREAD, The Pirate Approach →
via the inimitable Adam Shostack (author of The New School of Information Security) and Threat Modeling; a leader in the Threat Modeling arena), whilst writing at his fascinating blog, comes a sterling discussion of the DREAD method; or How To Name A Bug Bounty Program. Certainly, today's MustRead, enjoy!