A lot of time has passed since we published the last blog post. We want to give a brief status update and an overview of the events of the recent months.

Security is very important at Facebook. As the biggest social network in the world with 1.23 billion members, Facebook has been running a bug bounty program since 2011. Facebook announced they would pay a minimum of $500, with no upper limit. More than $2M has been paid out in rewards, including $1.5M in 2013 alone. As a security researcher you are very proud if you are able to help such a big company, it is also a nice reference and of course the rewards are also quite nice. So at one day we decided that we also want to paticipate in this bug bounty program and looked for vulnerabilities.

Digitalocean.com is a cloudhosting service, which is specialized on small and big virtual servers with SSDs. As an safety-conscious company it runs a bug bounty program in which we took part. Now we just want to share our findings with you.

Recently, we discovered a very uncritical CSRF issue at facebook. Facebooks security team rejected this submission as there is no direct impact on any user data. People asked to share the finding, so here we go :)

PayPal is a well-known online payment service and a company which runs a bug bounty program. We’ve participated in their bug bounty program and we’ve discovered a very critical security issue on their main domain www.paypal.com. We’ll now write something about the reporting-process and the vulnerability itself. This article should show that big companies are not 100% secure and can also suffer from critical vulnerabilites.

The Social Democratic Party of Germany (in short: SPD) is the oldest political parlemtary party in Germany. The website bayernspd.de represents one of 16 SPD - state associations in Germany and therefor acts as a contact point for all political “online” questions regarding the SPD in Bavaria.

In June 2013 we discovered a SQL Injection issue in a google service, which was fixed by Googles security team very fast.

The advertising service called Doubleclick was acquired by Google in 2007. That means that the corresponding domain is part of the googles bug bounty program.

After some research we discovered a nearly unexploitable XSS vulnerability, which we want to share with you. Maybe you’ll find a way to bypass the length limit of 7 characters.

The “Spiegel” is one of the most popular news magazines in Germany. The Spiegel realized a long time before their competitives that it’s important to get a strong position in the new and upcoming internet market - the reason why they built up their first web presence in 1994. Today it’s one of the most popular and widely covering in Germany. It’s quite fun to browse through their website - especially due to their clarity and many useful and vivid applications, but this should go hand in hand with security.

Tuenti is a spanish “social network” plattform with about 14 million users. It is one of the biggest networks in the spanish-speaking area. The network offers various webapplications which in general are intended to facilitate communication. Tuenti runs a responsible disclosure program, in which we’ve also participated.