Organisations Paid Hackers US$23.5 Million for These 10 Vulnerabilities in One Year

By : Krishna Anindyo | Friday, October 30 2020 - 11:20 IWST

Ilustration Hackers (Photo by Microwire.info)
Ilustration Hackers (Photo by Microwire.info)

INDUSTRY.co.id - Singapore - In times of uncertainty, security becomes an ever more pressing priority. The stakes are high: organisations are more reliant on technology than ever and anyone relying on technology can lose everything in a data breach. But some of the most recent vulnerabilities have one thing in common: they were detected, discovered and reported by friendly hackers who can think like attackers.

“This year, organisations worldwide were forced to go digital with their product offerings and services,” said HackerOne Senior Director of Product Management Miju Han.

“Businesses scrambled to find new revenue streams, creating digital offerings for customers whose lifestyles had dramatically changed. Tens of millions of workers started working remotely whether or not they were ready. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems. Faced with these obstacles, security leaders have gained newfound appreciation for hacker-powered security as a nimble, scalable, and cost-effective solution to augment their own resources and offer a pay-for-results approach that’s more justifiable under tightened budgets,” added Miju Han.

HackerOne maintains the most authoritative database of vulnerabilities in the industry. With over 200,000 valid vulnerabilities found by hackers, HackerOne took a look into this data to glean insights from the top 10 most impactful and rewarded vulnerability types.

HackerOne’s Top 10 Most Impactful and Rewarded Vulnerability Types of 2020, in descending order, are:

Cross-site Scripting (XSS), Improper Access Control , Information Disclosure, Server-Side Request Forgery (SSRF)

Insecure Direct Object Reference (IDOR)

Privilege Escalation

SQL Injection

Improper Authentication 

Code Injection

Cross-Site Request Forgery (CSRF)

Taking a closer look at this year’s top ten in comparison to the 2019 top ten vulnerabilities, key findings include:

Cross-site Scripting vulnerabilities continue to be a major threat to web applications as attackers exploiting XSS attacks can gain control of the user’s account and steal personal information such as passwords, bank account numbers, credit card information, personally identifiable information (PII), social security numbers, and more.

The most awarded vulnerability two-years running, XSS vulnerabilities cost organisations US$4.2 million in total bounty awards, up 26% from the previous year. These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501.

With the average bounty for a critical vulnerability being US$3,650, this means organisations are mitigating this common, potentially painful bug on the cheap.

Improper Access Control (up from ninth place in 2019) and Information Disclosure (still holding the third spot) remain common. Awards for Improper Access Control increased 134% year over year to just over US$4 million.

Information Disclosure was not far behind, increasing 63% year over year. Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools.

SSRF vulnerabilities, which can be exploited to target internal systems behind firewalls, show the risk of cloud migrations. Previously, SSRF bugs were fairly benign and held our seventh place spot, as they only allowed internal network scanning and sometimes access to internal admin panels.

But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

SQL Injection is dropping year-over-year. Considered one of the worst threats to web application security by OWASP and others, the scale of SQL injection attacks can be devastating, as sensitive data, including business information, intellectual property, and critical customer data, is stored on database servers susceptible to these attacks.

In years past, SQL injection was one of the most common vulnerability types. However, our data indicate that it’s been dropping year-over-year from fifth in 2019 to seventh in 2020. By shifting security left, organisations are leveraging hackers and other methods to proactively monitor attack surfaces and prevent bugs from entering code.

“Finding the most common vulnerability types is inexpensive,” Han continued.

“Of the top 10 most awarded weakness types, only Improper Access Control, Server-Side Request Forgery (SSRF), and Information Disclosure saw their average bounty awards rise more than 10%. The others fell in average value or were nearly flat. Unlike traditional security tools and methods, which become more expensive and cumbersome as goals change and attack surface expands, hacker-powered security is actually more cost-effective as time goes on. With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.” concluded Han.

News Comment

Today's Industry

Oleg Mogilevsky - Product Marketing Manager at Check Point Software Technologies (Photo by Linkedin)

Selasa, 10 November 2020 - 11:00 WIB

Five Reasons to Reevaluate Your Endpoint Protection

With the new emerging threats caused by remote working standards, security professionals need to reevaluate their approach to protecting endpoints. In order to do so, it’s vital that organisations…

Darrell Adams, Head of Southeast Asia & Oceania, Universal Robots (Photo by LinkedIn)

Selasa, 10 November 2020 - 10:30 WIB

Collaborative Robots Open New Horizons in Quality Control Processes

Collaborative robots (cobots) offer suitable solutions to manufacturers. Hence, cobot-based quality control and inspection systems that can transition between different end products in very…

Clean Earth Technologies (CET)

Jumat, 30 Oktober 2020 - 10:30 WIB

Clean Earth Technologies’ New Class Of Polymers Invented By Associate Professor, Justin Chalker, Receives Australian Pm’s New Innovator Award

Associate Professor Justin Chalker has invented a novel class of polymers synthesised directly from elemental sulphur which is a waste by-product of the petrochemical industry and renewable…

Adi Ikan - Network Research & Protection Group Manager, at Check Point Software Technologies (Photo by Linkedin)

Jumat, 30 Oktober 2020 - 10:05 WIB

Measuring the Global Impact of the NSA’s Top 25 Vulnerabilities Being Exploited In the Wild

NSA’s list of top vulnerabilities were used to launch 3 million attacks in 2020, with 2.5 million of those attacks occurring in the last 6 months.

SMILE to Empower Smallholders

Kamis, 29 Oktober 2020 - 08:35 WIB

Kao Corporation, Apical & Asian Agri Join Hands to Empower Smallholders with SMILE Program

SMILE or the SMallholder Inclusion for better Livelihood & Empowerment program to help independent oil palm smallholders in Indonesia improve their yields, acquire international certification,…