Thoughts, stories and ideas.
Featured cybersecurity hacking linux offensivesecurity bugbounty

I come in peace!

by Flaviu Popescu 3 min read

I hope everyone is safe and well! I have not been active on the blog recently. It's time for an update of what I've been doing.

Today I am writing a short article on my disclosure to Oracle.

Casual day, browsing the internet, looking for my next victim (joke!) a page that belonged to Oracle had an error that caught my attention. I decided to have a look into it, this was mainly because of the domain name where the error occurred, it was a bank that provides financial infrastructure to deliver a range of B2B banking solutions and services, enabling businesses to trade globally.

They are using digitally disruptive technology that frees it from the legacy systems that make those traditional banks slow and expensive.

After doing some white magic (DNS level) and taking over the bank's domain which would also result in taking over Oracle's domain, essentially owning 2 high authority domains in one go.

wizzard, spells book
wizzard, spells book

This is the type of issue would benefit someone with malicious intent and little know-how, this was concerning to me because the banking company currently processes 130 billion in payments annually for its clients, which include banks, card entities, and payment gateways that choose. It also has partnerships with several other banks to provide direct clearing access, making the payments faster and cheaper.

Dark Wizzard
Dark Wizzard

Because I found this through Oracle, it was time to send them an e-mail and point out my concern. Oracle security team were prompt and fixed the issue that relied on their end and informed the 3rd party as well.

A few weeks go by and I receive an e-mail to say that I will be given credit in the upcoming Critical Patch Update, due to be released at 1:00 PM, U.S. Pacific Time, on January 19, 2021.

Oracle Online Presence Security Contributor
Oracle Online Presence Security Contributor
Oracle Critical Patch Update Advisory - January 2021
January 2021
Oracle Critical Patch Update January 2021

Since ~2 months, it looks like I've been absent from my blog and my usual hobbies Hack The Box, CTFs and so on. I had to get my priorities first, my University assessments, which were quite odd, due to this year's being digitally delivered.

Unfortunately, there is only so many hours in a day and my time is already so limited, as my kids are growing they require more and more of my attention.

Despite all this, I have been doing lots of cool stuff and I have many stories like this one to talk about! At the moment Hack The Box is on pause, CTFs are on pause and looking for bugs is on pause as well, This is because I've committed to a bigger project! Stay tuned to find out more.

Have you got any suggestions or questions for me ? Get in touch!

Thank you for reading my article, Until next time!

Your friendly neighbourhood Hacker.

Read more posts by this author

Flaviu Popescu

An aspiring Red Teamer, current Penetration Tester, my interests include but are not limited to Reverse Engineering, Advanced Persistent Threat Malware, Cyber-HUMINT, Nation State Cyber Ops, and OSINT

The link has been copied!
You've successfully subscribed to Flaviu Popescu
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.