As the Black Hat conference ended yesterday, one delegate managed to get free access to the video stream.
Michael Coates, web security lead at Mozilla, said that he was able to get free access to the stream and avoid paying the $395 fee by noticing a series of flaws in the account creation.
He said that he was able to sign up with only an email address (e.g. no name, address, phone etc) and was never asked to enter any credit card data. He said: “Odd I thought, perhaps you enter the credit card info upon your first login. The only problem was that I didn't actually have a registration email with a link to the login page.
“A few select Google searches and I ended up on a relatively vanilla looking login page. I have a username and a key, let's give it a shot. To my surprise the login was accepted and I was now sitting in front of the live Black Hat video stream.”
Admitting that Black Hat do not operate the video service themselves but use a third party for the video application, he said he found it to be ‘a bit ironic that the largest hacking conference in the world has this security hole in their video streaming service'. He also said that the identified flaw has already been fixed.
The winners of the 2010 Pwnie awards were also announced at a reception at the show in Las Vegas, Nevada. The award for best server-side bug went to Apache Struts2 framework remote code execution (CVE-2010-1870), while the best client-side bug went to Java trusted method chaining (CVE-2010-0840).
The award for best privilege escalation bug went to Windows NT #GP trap handler (CVE-2010-0232), for most innovative research to Dionysus Blazakis for Flash Pointer inference and JIT spraying. The Pwnie for ‘most epic fail' went to the Microsoft Internet Explorer 8 XSS filter, which was released with built-in cross-site scripting filters that, for nearly a year after release, enabled cross-site scripting on otherwise secure sites.
Full details of the winners can be found here - http://pwnies.com/winners/