search

bugcrowd / vulnerability-rating-taxonomy

Bugcrowd’s baseline priority ratings for common security vulnerabilities
https://bugcrowd.com/vrt
Apache License 2.0
434 stars 80 forks source link

Adding a category for Social Media Account takeovers #274

Closed codingo closed 4 years ago

codingo commented 4 years ago

Currently social media account takeovers are being classified as either high impact subdomain takeover or a low impact subdomain takeover. This causes a misalignment of expectation as the impact of a social media account takeover is widely varied and in some cases would be P4, and in others a P1 depending on how widely the account is still referenced on the website(s) in question.

For discussion, a potential new category:

Server Security Misconfiguration - Off-Domain - Social Media Account Takeover (varies)
plr0man commented 4 years ago

The team voted in favor of this new entry having a baseline of P4. This could be potentially classified as follows: P4: Server-Side Injection > Content Spoofing > Social Media Account Takeover

plr0man commented 4 years ago

This has already been discussed to some degree before (see @EdOverflow's writeup in #84). Let's consider an alternative name for this entry: P4: Server-Side Injection > Content Spoofing > Impersonation via Broken Link Hijacking