- theflow0
submitted a report to PlayStation.
Oct 25th (8 months ago)
- PlayStation rewarded theflow0 with a $20,000 bounty.
Nov 12th (7 months ago)
- shoshin_cup
PlayStation staff closed the report and changed the status to Resolved.
Apr 4th (3 months ago)
- theflow0
requested to disclose this report.
Apr 4th (3 months ago)
- sazerac
HackerOne staff agreed to disclose this report.
Jun 10th (9 days ago)
I generally refuse to participate in Bug bounty programs through intermediaries like HackerOne, because they severely restrict and delay your ability to disclose. After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
For smaller issues, the bounties often don't even fairly compensate the (usually significant) effort spent communicating with the security team if you value your time at a competitive hourly rate, and payment is hit or miss. Not worth giving up your right to talk about the issues in exchange.
Friend just disclosed a 7 vuln chain RCE in a Fortune20 company. Affected all cloud and on-prem versions.
They denied it as it was under NDA during a "scheduled" pentest (their client paid them to pentest and they alerted the vendor letting them know they'd be doing it during a 2 week period like most cloud vendors).
For someone to spend weeks developing that many vulnerabilities to get an RCE and then get nothing from the vendor other than "haha technically we don't have to pay you" - there is zero reason to not go through agencies that sell to governments (ZDI, Zerodium, etc).
You'll get paid and now the bug won't get patched.
I feel like all these takes seem to not really consider the idea that some people enjoy security work but do not want to be part of criminal enterprises, especially in the age of ransomware.
Gaming devices have always been special I think cuz basically every heavy gamer pirates games as a kid (no money!) and there’s a very legit “I just want my device to run software” feeling, but I think generally people want shit to be fixed.
The thing you miss is CIO DGAF because he has paper trial covering his ass - pays for all kinds of corporate placebos (antivirus, waf), even did a pentest. Worst case scenario they will get in the news and get free advertising to >50% of clueless population.
The PoC requirement seems to be there to help the triage team filter out the many garbage reports they get.
Having seen a glimpse of what you get out of a bug bounty program (lots and lots of people with no clue submitting bogus reports) I understand why companies are doing that, but especially for a commercial company, their triage burden is not my problem. I'm doing them a massive favor by reporting it, and as mentioned above I'm not getting paid adequately for it... so either they do the triage properly (yes, that's a lot of work), or they pay me to spend time to give them a clearer proof... or they don't get the vulnerability reported/responsibly disclosed.
Ironically, if you went through one of the platforms initially and they responded like that, you can't just go full disclosure anymore without violating the platform ToS, just like this post showed.
The absolute minimum that such platforms should do would be report closed = NDA lifted, but since they're more dependent on their paying customers than the researchers, they won't do that.
From a $ perspective, most bug bounty programs look rather uneconomic to me, which I presume is by design.
Bounty programs require a hacker to reveal their secret. That cripples a hacker’s negotiation strength, and the hacker cedes nearly all control (as you point out).
Are there any organisations which can authenticate a vulnerability, without the hacker revealing the vulnerability itself?
Vulnerability authentication seems like a hard problem:
* powerful adversaries will wish to “steal” the vulnerability for themselves,
* the hacker will want to remain anonymous,
* the hacker needs to believe they will be safe and their vulnerability will not be stolen,
* legal, social, and financial incentives would be difficult to align for such an organisation to even exist. In a “safe jurisdiction” three-letter-agency and legal issues would probably be prohibitive (can’t aid extortion etcetera), and in other looser jurisdictions there would be powerful dark threats (far dominating over any legal issues).
* in most markets authentication is handled by organisations doing repeat transactions so that their incentive is to be trustworthy. However in this market government or blackhat organisations will want to create fronts or suborn organisations.
I guess on the dark markets there are authentication options for black hats. Any links to discussions about that?
Can vulnerability authentication be solved for white hats?
Practically, HackerOne is already in the business of validating vulnerability reports, and they did so here. The real problem is that HackerOne takes a commission on vulnerability reports but does not protect the researcher if the program doesn't pay for the validated report. Other platforms like Bugcrowd do protect you (which is probably sufficient for the problem you describe), but HackerOne strangely does not.
There's already a trusted intermediary, you don't really need to hide the report from the company -- the intermediary just needs to provide protections to both sides.
"From a $ perspective, most bug bounty programs look rather uneconomic to me, which I presume is by design."
It depends. If you're a graduate with multiple FAANG offers in the US, they're not worth it. If you're in a developing country, they're worth it a lot.
Unfortunately, that also means that people who have good skills are less likely to participate and people who don't have marketable skills have an apparent incentive to try (they will not get the money, but the promise/possibility still lures them to submit reports) resulting in an absolutely atrocious quality of reports.
I don't think authentication is useful for white hats. A whitehat can just report it (which he'd do anyways) and then either get the bounty or not. The only benefit of authentication would be for the receiving company, and that's called triage and exists as a service (as we see in the full timeline, it was used here).
> authenticate a vulnerability, without the hacker revealing the vulnerability itself
In principle, with standalone software that can be run under emulation, including OSes and device software, it's possible to publish a verifiable, zero-knowledge proof of execution of the exploit leading to some state (e.g. root access or changing a file) without revealing how it's done.
The principle is similar to public key crypto: Everyone can verify the proof, only those with knowledge of the secret input can produce the proof.
The proof does not contain the actual execution steps because that would reveal the secret input, but it may contain before and after states for the verifier to convince themselves an exploit took place between them, along with a cryptography-style proof that the after state is reachable under this emulator using secret input known by the hacker.
the biggest news about this for, well, hackers is obviously theflow0 is back in the game! theyve been instrumental in the homebrew PS4 scene as covered by modern retro gamer on youtube.
> After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I personally believe that if a bug bounty program denies your report / closes it out as N/A or out-of-scope, you should be able to disclose it. The whole point of bug bounty is practically "legal extortion". The buy-in is that you're getting security details in exchange for payment. If you're not paid, the information shouldn't be used or worthy of payment. The security issue's severity should command a level of payment. If it fails to command this, surely the company doesn't think it's valuable, right?
> I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I think you should still report to bounty programs, at least ones with "HackerOne managed" badges on them, because at least HackerOne will try to reproduce the issue / triage it. If you want you can go full disclosure, but believe it or not, smaller companies with people like me at the helm are more than happy to pay out bounties. We may not have big company budgets, but we really do take things seriously, and we enjoy rewarding people who find interesting problems.
For the record, emails to security@ company are practically inundated with false positive "bug bounty" reports from researchers who have very low signal. HackerOne/Bugcrowd are often just better ticket management systems, because when you get 10 of the same report about something that isn't a security problem a day, real issues slip through the cracks. HackerOne's triage team is very good at identifying an exceptional issue and raising it up to us, which was often difficult pre-H1 via security@ emails. Also, more and more, GDPR data deletion requests get flooded to privacy@ and security@. When this happens, the security inbox looks more like GDPR/low hanging fruit zone than an actual "important security issue that needs attention immediately" zone.
Not saying public bug-bounty programs such as this are perfect. Those around a certain date in the past remember strongly when the situation with public research was more precarious and Sony attempting lawsuits, prosecutions and other utterly horrible attempts at 'damage-control' with the PS3. In that light and with the researcher being able to disclose his research after public security-patch it does appear more amicable.
100%, TheFloW is a legend in the Vita community. Every time Sony released a new firmware fixing one of his exploits, he released another one, until Sony stopped updating the Vita.
The guy also developed quite a bunch of useful low-level software—he and Rinnegatamante basically carry the homebrew/jailbreak community for Vita, at least lately.
Meanwhile, his twitter says ‘Security Engineer @ Google’.
Bit weird that he didn't turn this into a jailbreak for PS5, though. But perhaps I'm missing something about PS5's firmware update scheme.
$20k for pirated ps4/ps5 games? Seems ridiculously low.
When I lived in Bolivia I remember buying PS2 games in the market for 10 Bs. ($2). I imagine few people in Bolivia can buy these games. Same for other third world countries.
I imagine the exploit author reported it for the clout and a "good get" right? It's quite the feather in your cap.
It's also not like house owners reward people that tell them about an open front door with the total value of their house's contents. In Dutch we say "10% finder's wages" (10% vindersloon) when someone returns an item they found, say a smartphone. Sometimes you get nothing, sometimes you get 20%, but nobody expects to get 100% (or even half) of the true value of the item you are dutifully returning.
That there is a huge market in less-wealthy countries for pirated games is a well-known fact. What strikes me as a leap is that there is some mastermind behind it all that has enough savings (or other liquidity) to buy these exploits for whatever you would consider the true value (if $20k is "ridiculously" low), and then needs to earn all that money back by selling game copies (presumably there is some hardware cost to burn discs) to a population that is large but, indeed, poor.
No one is returning something to PlayStation, though. This is independent intellectual property. Property, that if exposed, runs the risk of destroying their entire ecosystem.
And this possibly cuts well beyond simple piracy. PlayStation enjoys exclusive control over who does and does not get to publish on their platform. A mechanism that earns them millions in licensing deals, to the extent that they can happily lose money on the sale of the hardware itself. The destruction of that mechanism seems akin to destruction of their entire platform.
This isn't a "we found your front door unlocked" situation. This is a "we found a bomb attached to your spine, and we know exactly how to dismantle it."
If they already have the networks in place to sell stuff like pirated movies, I don't see why they would balk at paying for an exploit to sell pirated games. I could also see them using an advance + royalty model to share the risk with the exploit writer.
I'm from a 3rd world country and can confirm, everyone is keeping their ps4 in v9.00, A shop near me is selling dozens of ps4 with +10 pre installed games, each for 280-300$.
The question is how competitive is the market? Would he get more money by auctioning it off? For something like smartphones there are plenty of governments that would buy. But for a game console? It's mostly commercial pirates and I guess those don't have as much money sloshing around.
Maybe one could make it an adversarial kickstarter kind of thing. The public pools against sony, full disclosure vs. time-delayed disclosure.
I recently got into game collecting and this is fun indeed. Managed to get myself a copy of Silent Hill 3 for the PS2, which isn't exactly a rare game but it's up there for sure.
5 vulnerabilities, this is the issue that I'm often see, nobody wants to fix issue that isn't exploitable, so reporting all those alone won't get them fixed for maybe even years, and then someone figure out how to connect them and we get chains like this
The researcher I think should be able to negotiate the rate prior to disclosure (ie “how much would a vulnerability that accomplishes xyz be worth it to you?”). I wonder if that might change some of these payouts.
> With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
So this person basically saved them from loosing tons of money (if you accept these companies claim that pirating games actually make them lose money in the first place) and they only awarded them $20K.
Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
I had some considerations of getting into white hat hacking. I'd have enough motivation to become somewhat proficient in a few years,maybe even very good in a decade. But then I look at the rewards for vulnerability discovery and I think what the hell??? If I'd spend years honing my skills and someone would offer me a few grand for something that could potentially cost them millions,I don't think I'd manage not to sell it for the highest bidder. This is like a gig economy but for infosec.
I believe it's come out since the initial statement that the "pirated games [...] without a kernel exploit" thing was hypothetical, requiring someone to write a specialized AMD64-to-AMD64 JIT compiler that transforms game programs from using their native memory layouts to using that of the exploited process.
20K + prestige, he's gonna have strong cards at his next $nicely_paying_company interview
>Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
Sure, sell it for how much? twice? thrice? as much
instead using it for your own branding, cv, to negotiate salary which will pay you way more over years
Not sure these kinds of exploits are as valuable as they once were. Online gaming is the default now which means updates can be enforced. And using one of these exploits basically requires disconnecting from the network, losing online, and losing access to new games which will have minimum version requirements.
> Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
> $20k seems a bit low for a chain of 5 exploits that defeat the entire security model on their flagship product, but what do I know.
Especially when so many people work on sensitive work in their homes due to COVID, huge chunks of the federal government are having conversations next to hot mics as they do Tinder and the like on their "personal" devices.
Wide-scale game piracy can be very profitable in markets that aren't well-served by the console operator. You're not gonna make money selling pirate blurays in the US since you'll go straight to prison, but I can imagine PS4 owners in second or third-world countries buying a stack of pirated blurays for 20% the cost of retail and local law enforcement not being terribly interested in doing something about it.
> Interesting to see that one of the most impactful exploits is in an open source library.
WebKit is infested with vulnerabilities and it is a hackers paradise for exploitation. Probably the most exploited and targeted software component out there.
Although 20k seems quite low, I think it is reasonable given the rise of game subscriptions.
Who would want to jailbreak and leave their ps5 offline to get 5$ games that won’t work once the station is updated. Where on the flip side you could pay 5-15$ Monthly (not sure of PlayStation Nows cost but that amount is for Xbox game pass) to have hundreds of games at your disposal and never have to physically acquire a new disk via black market to play a new game?
Is there a reason this wouldn’t in theory allow a full jailbreak and play of the $79 games?
PlayStations’ main unique feature are the narrative based single player exclusives. So, if you were going to get a PS5 and Xbox, it seems Xbox for multi and hacked PS5 for single seems like an excellent combo - you know - if you were the type of person that could justify that sort of thing.
Back in the day I faced the same consideration with Xbox 360. I went with the reset glitch hack and was able to have hundreds and hundreds of games all play from an HDD. Eventually the hackers got servers running and you could also play online with others. A fully jail broken ps5 would definitely be appealing.
Readit News
- theflow0 submitted a report to PlayStation. Oct 25th (8 months ago)
- PlayStation rewarded theflow0 with a $20,000 bounty. Nov 12th (7 months ago)
- shoshin_cup PlayStation staff closed the report and changed the status to Resolved. Apr 4th (3 months ago)
- theflow0 requested to disclose this report. Apr 4th (3 months ago)
- sazerac HackerOne staff agreed to disclose this report. Jun 10th (9 days ago)
I generally refuse to participate in Bug bounty programs through intermediaries like HackerOne, because they severely restrict and delay your ability to disclose. After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
For smaller issues, the bounties often don't even fairly compensate the (usually significant) effort spent communicating with the security team if you value your time at a competitive hourly rate, and payment is hit or miss. Not worth giving up your right to talk about the issues in exchange.
They denied it as it was under NDA during a "scheduled" pentest (their client paid them to pentest and they alerted the vendor letting them know they'd be doing it during a 2 week period like most cloud vendors).
For someone to spend weeks developing that many vulnerabilities to get an RCE and then get nothing from the vendor other than "haha technically we don't have to pay you" - there is zero reason to not go through agencies that sell to governments (ZDI, Zerodium, etc).
You'll get paid and now the bug won't get patched.
Congratulations vendor, you played yourself.
Was your friend the one paid to do the pentest? And during that 2 week period your friend was doing the pentest they found the 7 vuln chain RCE?
Or did they find the vulns during a period in time someone else was pentesting the company?
Gaming devices have always been special I think cuz basically every heavy gamer pirates games as a kid (no money!) and there’s a very legit “I just want my device to run software” feeling, but I think generally people want shit to be fixed.
https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/
Having seen a glimpse of what you get out of a bug bounty program (lots and lots of people with no clue submitting bogus reports) I understand why companies are doing that, but especially for a commercial company, their triage burden is not my problem. I'm doing them a massive favor by reporting it, and as mentioned above I'm not getting paid adequately for it... so either they do the triage properly (yes, that's a lot of work), or they pay me to spend time to give them a clearer proof... or they don't get the vulnerability reported/responsibly disclosed.
Ironically, if you went through one of the platforms initially and they responded like that, you can't just go full disclosure anymore without violating the platform ToS, just like this post showed.
The absolute minimum that such platforms should do would be report closed = NDA lifted, but since they're more dependent on their paying customers than the researchers, they won't do that.
Bounty programs require a hacker to reveal their secret. That cripples a hacker’s negotiation strength, and the hacker cedes nearly all control (as you point out).
Are there any organisations which can authenticate a vulnerability, without the hacker revealing the vulnerability itself?
Vulnerability authentication seems like a hard problem:
* powerful adversaries will wish to “steal” the vulnerability for themselves,
* the hacker will want to remain anonymous,
* the hacker needs to believe they will be safe and their vulnerability will not be stolen,
* legal, social, and financial incentives would be difficult to align for such an organisation to even exist. In a “safe jurisdiction” three-letter-agency and legal issues would probably be prohibitive (can’t aid extortion etcetera), and in other looser jurisdictions there would be powerful dark threats (far dominating over any legal issues).
* in most markets authentication is handled by organisations doing repeat transactions so that their incentive is to be trustworthy. However in this market government or blackhat organisations will want to create fronts or suborn organisations.
I guess on the dark markets there are authentication options for black hats. Any links to discussions about that?
Can vulnerability authentication be solved for white hats?
There's already a trusted intermediary, you don't really need to hide the report from the company -- the intermediary just needs to provide protections to both sides.
It depends. If you're a graduate with multiple FAANG offers in the US, they're not worth it. If you're in a developing country, they're worth it a lot.
Unfortunately, that also means that people who have good skills are less likely to participate and people who don't have marketable skills have an apparent incentive to try (they will not get the money, but the promise/possibility still lures them to submit reports) resulting in an absolutely atrocious quality of reports.
I don't think authentication is useful for white hats. A whitehat can just report it (which he'd do anyways) and then either get the bounty or not. The only benefit of authentication would be for the receiving company, and that's called triage and exists as a service (as we see in the full timeline, it was used here).
In principle, with standalone software that can be run under emulation, including OSes and device software, it's possible to publish a verifiable, zero-knowledge proof of execution of the exploit leading to some state (e.g. root access or changing a file) without revealing how it's done.
The principle is similar to public key crypto: Everyone can verify the proof, only those with knowledge of the secret input can produce the proof.
The proof does not contain the actual execution steps because that would reveal the secret input, but it may contain before and after states for the verifier to convince themselves an exploit took place between them, along with a cryptography-style proof that the after state is reachable under this emulator using secret input known by the hacker.
> After having been denied a bug bounty for reporting a vulnerability directly, and often spent frustrating amounts of time just trying to get a response even from major companies, I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I personally believe that if a bug bounty program denies your report / closes it out as N/A or out-of-scope, you should be able to disclose it. The whole point of bug bounty is practically "legal extortion". The buy-in is that you're getting security details in exchange for payment. If you're not paid, the information shouldn't be used or worthy of payment. The security issue's severity should command a level of payment. If it fails to command this, surely the company doesn't think it's valuable, right?
> I've basically given up completely on bug bounty programs, and will likely go for full disclosure in the future (with a note to the corresponding security team for awareness).
I think you should still report to bounty programs, at least ones with "HackerOne managed" badges on them, because at least HackerOne will try to reproduce the issue / triage it. If you want you can go full disclosure, but believe it or not, smaller companies with people like me at the helm are more than happy to pay out bounties. We may not have big company budgets, but we really do take things seriously, and we enjoy rewarding people who find interesting problems.
For the record, emails to security@ company are practically inundated with false positive "bug bounty" reports from researchers who have very low signal. HackerOne/Bugcrowd are often just better ticket management systems, because when you get 10 of the same report about something that isn't a security problem a day, real issues slip through the cracks. HackerOne's triage team is very good at identifying an exceptional issue and raising it up to us, which was often difficult pre-H1 via security@ emails. Also, more and more, GDPR data deletion requests get flooded to privacy@ and security@. When this happens, the security inbox looks more like GDPR/low hanging fruit zone than an actual "important security issue that needs attention immediately" zone.
Public reimplementation: https://github.com/sleirsgoevy/bd-jb (not a "full" jailbreak yet, the kernel part is missing)
To clarify, this exploit only works up to firmware 9.04 on the PS4 and up to 4.51 on the PS5.
https://theofficialflow.github.io/2018/09/11/h-encore.html
https://github.com/TheOfficialFloW/h-encore
edit: or contract
Meanwhile, his twitter says ‘Security Engineer @ Google’.
Bit weird that he didn't turn this into a jailbreak for PS5, though. But perhaps I'm missing something about PS5's firmware update scheme.
When I lived in Bolivia I remember buying PS2 games in the market for 10 Bs. ($2). I imagine few people in Bolivia can buy these games. Same for other third world countries.
I imagine the exploit author reported it for the clout and a "good get" right? It's quite the feather in your cap.
That there is a huge market in less-wealthy countries for pirated games is a well-known fact. What strikes me as a leap is that there is some mastermind behind it all that has enough savings (or other liquidity) to buy these exploits for whatever you would consider the true value (if $20k is "ridiculously" low), and then needs to earn all that money back by selling game copies (presumably there is some hardware cost to burn discs) to a population that is large but, indeed, poor.
And this possibly cuts well beyond simple piracy. PlayStation enjoys exclusive control over who does and does not get to publish on their platform. A mechanism that earns them millions in licensing deals, to the extent that they can happily lose money on the sale of the hardware itself. The destruction of that mechanism seems akin to destruction of their entire platform.
This isn't a "we found your front door unlocked" situation. This is a "we found a bomb attached to your spine, and we know exactly how to dismantle it."
Maybe one could make it an adversarial kickstarter kind of thing. The public pools against sony, full disclosure vs. time-delayed disclosure.
Like, make all the scenes in the US sepia filtered, then make the Latin country’s clear filtered kind of jokes.
Interesting to see that one of the most impactful exploits is in an open source library.
> With these vulnerabilities, it is possible to ship pirated games on bluray discs. That is possible even without a kernel exploit as we have JIT capabilities.
So this person basically saved them from loosing tons of money (if you accept these companies claim that pirating games actually make them lose money in the first place) and they only awarded them $20K.
Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
>Good way to ensure others who find similar exploits to sell them to highest bidder on darkmarkets instead as they'll be able to get way more than that.
Sure, sell it for how much? twice? thrice? as much
instead using it for your own branding, cv, to negotiate salary which will pay you way more over years
This is illegal AFAIK.
If that was a chain of 5 vulnerabilities for say the iPhone or Android, that would be worth over $1 million.
Especially when so many people work on sensitive work in their homes due to COVID, huge chunks of the federal government are having conversations next to hot mics as they do Tinder and the like on their "personal" devices.
What's the market for this exploit, though? Who is going to pay never mind $20k but more or less anything for it?
WebKit is infested with vulnerabilities and it is a hackers paradise for exploitation. Probably the most exploited and targeted software component out there.
Deleted Comment
Who would want to jailbreak and leave their ps5 offline to get 5$ games that won’t work once the station is updated. Where on the flip side you could pay 5-15$ Monthly (not sure of PlayStation Nows cost but that amount is for Xbox game pass) to have hundreds of games at your disposal and never have to physically acquire a new disk via black market to play a new game?
PlayStations’ main unique feature are the narrative based single player exclusives. So, if you were going to get a PS5 and Xbox, it seems Xbox for multi and hacked PS5 for single seems like an excellent combo - you know - if you were the type of person that could justify that sort of thing.