Wir wollten eigentlich nur entspannt übernachten, sind aber (schon wieder!) über Sicherheitslücken in Hotelsoftware gestolpert. Diesmal mit dabei: 35 Millionen Buchungen, ein paar Jugendherbergen, Motel One und (wie immer) ein 🔢 zählendes Zerforschi.

Die ganze Geschichte lest ihr hier: https://zerforschung.org/posts/sihot/

The previous Monday, @troyhunt the creator of @haveibeenpwned made another stop on his Have I Been Pwned Alpine Grand Tour, visiting countries like Germany, France, Italy, and Switzerland to discuss his work. Several Zurich user groups were fortunate to hear him speak on various topics and join him for drinks afterward. His presentation covered his experience testifying before the U.S. Congress, some of the most significant breaches tracked on the platform, and insights into how Have I Been Pwned operates

After discovering that the data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates.

The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts.

Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape.

The website is open source, with its repository hosted on GitHub.

Feel free to share any feedback or submit a pull request if you’d like to contribute.

Troy, thank you for hosting these in-person talks and for creating this essential service that the internet relies on!

[1] https://haveibeenpwned.watch
[2] https://github.com/iosifache/haveibeenpwned.watch

Something that’s been bothering me for years in the security world: why do researchers demand bug bounties for vulnerabilities in open source projects, when the very contributors maintaining and fixing those issues get nothing, just goodwill?

It feels deeply unfair. The burden falls on unpaid maintainers, yet bounty hunters get rewarded. If you want a paid bounty, maybe help fund the people who actually fix the mess too.

#opensource #security #bugbounty

Ich habe heute versucht, etwas zu basteln. Teil der Arbeit war es, ein Programm mittels emscripten zu compilieren.

Leider stürzt das Programm an einer entscheidenden Stelle später immer mit "abort" ab.

Als ich den Fehler melden will, sehe ich im Bug Tracking System einen offenen Eintrag.

Da hat schon eine Person vor einem halben Jahr das gleiche Problem gemeldet.

Ich.

🤦