Latest news with #HackerOne
Axios
4 days ago
- Business
- Axios
Exclusive: Corridor raises $5.4M, hires Alex Stamos as security leader
Corridor, an AI security startup led by two former CISA employees, has raised $5.4 million and hired longtime security heavyweight Alex Stamos as its chief security officer. Why it matters: Stamos — currently the CSO at SentinelOne and an adjunct professor at Stanford — is a prominent figure across both the cybersecurity industry and the broader tech ecosystem. His decision to join full-time signals the growing urgency of securing AI-generated code — and marks a key endorsement for the startup, co-founded by Jack Cable and Ashwin Ramaswami, in a rapidly crowding field of AI-native security companies. Driving the news: The $5.4 million seed round was led by AI-focused venture firm Conviction. Notable angel investors include Stamos, Bugcrowd founder Casey Ellis and Duo Security co-founder Jon Oberheide. Corridor already counts buzzy AI coding startup Cursor, fintech company Mercury and threat intelligence firm Grey Noise Intelligence as customers. Zoom in: Corridor uses AI to automatically discover software vulnerabilities and triage bug bounty reports — including identifying context-heavy issues like authorization flaws that traditional tools often miss. The big picture: AI has democratized who can write code — but those codebases are often riddled with security flaws that newbie coders can't detect. Nearly half of the programming tasks completed by AI models in a recent Veracode study resulted in code with known security vulnerabilities, the company reported last week in a test of more than 100 large language models. "If security teams are already struggling today, they're certainly going to struggle as engineers are using AI to write code 5-10 times faster," Cable told Axios. Catch up quick: Stamos first met Cable and Ramaswami — both of whom are in their mid-20s — while they were students at Stanford. "I meet a lot of really smart students at Stanford, but very few of them are as dedicated to security as these two were," Stamos told Axios. Cable, Corridor's CEO, started bug hunting in high school and eventually ranked among the top 100 hackers on HackerOne. He later led the Secure by Design initiative at CISA, which pushed software vendors to bake in security from the start. Sixty-eight companies signed a pledge under that effort last year. Ramaswami, Corridor's CTO, previously worked alongside Cable at CISA and last year ran a high-profile campaign for Georgia's state Senate — making a name for himself in both tech and politics despite losing. Between the lines: Stamos says AI is driving a wave of transformation unlike anything he's seen in his 25 years in the field — and creating an enormous gap between how code is written and how it's secured. "These people have no idea how the software works," Stamos added. "And so it is completely impossible for them to understand then how it can be broken." What to watch: Corridor is building tools that act as "an assistant across every stage of the product security lifecycle," Cable said. The team plans to use the seed round to hire more engineers. It currently has five employees.
Hindustan Times
31-07-2025
- Hindustan Times
Millions of sex toy users had emails and accounts exposed by app flaw
A security researcher has claimed that serious flaws in the Lovense app exposed users' email addresses and allowed full account takeovers for months, potentially exposing their purchase history. A security flaw in a sex toy app exposed users' email addresses (Representational image) Lovense, a popular maker of internet-connected sex toys with over 20 million users, was first alerted to the vulnerabilities in March. But according to the researcher, who goes by the handle BobDaHacker, the company delayed addressing the issues. One of them has still not been fully fixed. Emails exposed through app interactions The researcher discovered that while using the Lovense app, it was possible to see other users' email addresses through a network analysis tool. He discovered this vulnerability when he muted his ex-partner's account and it exposed their email. 'Just muting someone exposed their email… After digging deeper, I figured out how to turn any username into their email address,' the security researcher wrote in a blog post. 'This was especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed.' A TechCrunch report confirmed the vulnerability by creating a new account and asking the researcher to find the registered email, which they did in under a minute. According to BobDaHacker, a script could reportedly automate this process in less than a second — potentially exposing millions of users and their purchasing activity. Account takeover possible with just an email A second vulnerability discovered by the researcher allowed anyone to take over a Lovense user's account using just their email address. The flaw involved the ability to generate valid authentication tokens without needing the user's password. 'Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,' BobDaHacker said. Lovense says it's fixing the bugs… eventually Lovense was informed of the issues on March 26, via the Internet of Dongs — a project that helps report security flaws in sex tech. The company paid the researcher $3,000 through HackerOne as part of a bug bounty. However, after months of discussions, Lovense reportedly said it would need 14 months to roll out a fix for the email disclosure issue in order to avoid disrupting users with legacy devices. 'We also evaluated a faster, one-month fix. However, it would require forcing all users to upgrade immediately, which would disrupt support for legacy versions,' Lovense told the researcher, according to the blog post. In a recent statement to Bleeping Computer, Lovense said an app update 'addressing the latest vulnerabilities' has been submitted to app stores. 'The full update is expected to be pushed to all users within the next week,' the company said.
Techday NZ
30-07-2025
- Business
- Techday NZ
Crowdsourced security gives CISOs edge in AI & data privacy
A new research report from HackerOne reveals how a select group of Chief Information Security Officers (CISOs) are achieving a security advantage by fully leveraging crowdsourced security techniques. The report, entitled 'The 15% Advantage: How High-Performing CISOs Leverage Crowdsourced Security,' is based on a global survey of 400 CISOs from large organisations across 13 industries. It highlights an emerging trend: while almost all CISOs are aware of crowdsourced security methods, only a minority are applying all major components - bug bounties, vulnerability disclosure programmes (VDPs), and third-party penetration testing - in tandem. Adoption statistics According to the research, 94% of CISOs are familiar with crowdsourced security. Despite this widespread awareness, just 15% use all three key components together. The report identifies a noticeable difference in outcomes depending on the breadth of adoption. While 73% of CISOs who employ any form of crowdsourced security rate it as effective in identifying and eliminating vulnerabilities, this figure increases to 89% among those deploying the combination of bug bounties, VDPs, and third-party penetration tests. Alex Rice, Co-Founder and CISO at HackerOne, commented on the increasing responsibilities faced by CISOs today. "There are many demands on the modern CISO. As the CISO role increases in complexity with the responsibility for AI safety and data privacy, it's critical that CISOs leverage the full spectrum of offensive security tools to keep pace with modern threats," he said. Changing CISO roles The findings underscore the expanding remit of CISOs in enterprise environments. The survey indicates that 84% of CISOs are now responsible for AI safety, reflecting a significant shift from traditional cybersecurity priorities. Data privacy is also prominent, with 82% of respondents reporting oversight responsibility in this area. Kara Sprague, Chief Executive Officer of HackerOne, emphasised the evolving nature of security leadership in an AI-driven climate. Crowdsourced security isn't new. But leading with it in the age of AI is what sets today's top CISOs apart. As AI expands the enterprise attack surface and raises the stakes for rapid response, human ingenuity and outside perspective are more essential than ever. Organisations seeing the most value engage the global community of independent security researchers for responsible vulnerability disclosure, bug bounty, and pentesting across their digital assets and AI systems. This is about moving beyond experimentation and point solutions - toward a proactive, integrated approach. Effectiveness and future plans The report outlines clear effectiveness in using crowdsourced security for critical new risks, including AI vulnerabilities. Of the CISOs currently deploying crowdsourced methods, 81% find them effective for discovering and eliminating threats within AI systems. Additionally, 88% cite positive outcomes from crowdsourced approaches in general. For those not yet utilising crowdsourced security, interest is high. 86% of CISOs in this group intend to adopt such measures within the next year, with more than half specifically planning to address AI-related security risks. Organisational motivation The report notes that offensive security is increasingly a board-level concern, driving demand for external perspectives and tests that can surface issues missed by in-house teams. High-performing CISOs adopting all three key elements of crowdsourced security appear to realise stronger protection, supporting a trend towards more proactive and comprehensive security measures in large organisations. The survey data and accompanying analysis in 'The 15% Advantage' highlight how the adoption of a full range of crowdsourced security practices is emerging as a strategic approach among a leading subset of CISOs to address contemporary threats, particularly related to AI and data privacy.
Yahoo
29-07-2025
- Yahoo
Sex toy maker Lovense caught leaking users' email addresses and exposing accounts to takeovers
A security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email address of its users and allow the takeover of any user's account. The researcher, who goes by the handle BobDaHacker, published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy products. Lovense is one of the largest makers of internet-connected sex toys, and is said to have more than 20 million users. The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products. But the inherent security risks in connecting sex toys to the internet can put users at risk of real-world harm if something goes wrong, including device lock-ins and data privacy leaks. BobDaHacker said they discovered that Lovense was leaking other people's email addresses while using the app. Although other users' email addresses were not visible to users in the app, anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other user's email address when interacting with them, such as muting them. By modifying the network request from a logged-in account, BobDaHacker said they could associate any Lovense username with their registered email address, potentially exposing any customer who has signed up to Lovense with an identifiable email address. 'This was especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed,' BobDaHacker wrote in their blog post. TechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address, which they did in about a minute. By automating the process with a computer script, the researcher said they could obtain a user's email address in less than a second. BobDaHacker said a second vulnerability allowed them to take over any Lovense user's account using just their email address, which could be derived from the earlier bug. This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password, allowing an attacker to remotely control the account as if they were the real user. 'Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,' said BobDaHacker. The bugs affect anyone with a Lovense account or device. BobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs, a project that aims to improve the security and privacy of sex toys, and helps report and disclose flaws to device makers. According to BobDaHacker, they were awarded a total of $3,000 via bug bounty site HackerOne. But after several weeks of back and forth disputing whether the bugs were actually fixed, the researcher went public this week after Lovense requested 14 months to fix the flaws. (Security researchers typically grant vendors three months or less to fix a security bug before going public with their findings.) The company told BobDaHacker in the same email that it decided against a 'faster, one-month fix,' which would have required forcing customers using older products to upgrade their apps immediately. The researcher notified the company ahead of disclosure, per an email seen by TechCrunch. BobDaHacker said in a blog post update on Tuesday that the bug may have been identified by another researcher as far back as September 2023, but the bug was allegedly closed without a fix. Lovense did not respond to an email from TechCrunch.
TechCrunch
29-07-2025
- TechCrunch
Sex toy maker Lovense caught leaking users' email addresses and exposing accounts to takeovers
A security researcher says sex toy maker Lovense has failed to fully fix two security flaws that expose the private email address of its users and allow the takeover of any user's account. The researcher, who goes by the handle BobDaHacker, published details of the bugs on Monday after Lovense claimed it would need 14 months to fix the flaws so as to not inconvenience users of some of its legacy products. Lovense is one of the largest makers of internet-connected sex toys, and is said to have more than 20 million users. The company made headlines in 2023 for becoming one of the first sex toy makers to integrate ChatGPT into its products. But the inherent security risks in connecting sex toys to the internet can put users at risk of real-world harm if something goes wrong, including device lock-ins and data privacy leaks. BobDaHacker said they discovered that Lovense was leaking other people's email addresses while using the app. Although other users' email addresses were not visible to users in the app, anyone using a network analysis tool to inspect the data flowing in and out of the app would see the other user's email address when interacting with them, such as muting them. By modifying the network request from a logged-in account, BobDaHacker said they could associate any Lovense username with their registered email address, potentially exposing any customer who has signed up to Lovense with an identifiable email address. 'This was especially bad for cam models who share their usernames publicly but obviously don't want their personal emails exposed,' BobDaHacker wrote in their blog post. TechCrunch verified this bug by creating a new account on Lovense and asking BobDaHacker to reveal our registered email address, which they did in about a minute. By automating the process with a computer script, the researcher said they could obtain a user's email address in less than a second. BobDaHacker said a second vulnerability allowed them to take over any Lovense user's account using just their email address, which could be derived from the earlier bug. This bug lets anyone create authentication tokens for accessing a Lovense account without needing a password, allowing an attacker to remotely control the account as if they were the real user. 'Cam models use these tools for work, so this was a huge deal. Literally anyone could take over any account just by knowing the email address,' said BobDaHacker. The bugs affect anyone with a Lovense account or device. BobDaHacker disclosed the bugs to Lovense on March 26 via the Internet of Dongs, a project that aims to improve the security and privacy of sex toys, and helps report and disclose flaws to device makers. According to BobDaHacker, they were awarded a total of $3,000 via bug bounty site HackerOne. But after several weeks of back and forth disputing whether the bugs were actually fixed, the researcher went public this week after Lovense requested 14 months to fix the flaws. The company told BobDaHacker in the same email that it decided against a 'faster, one-month fix,' which would have required forcing customers using older products to upgrade their apps immediately. The researcher notified the company ahead of disclosure, per an email seen by TechCrunch. BobDaHacker said in a blog post update on Tuesday that the bug may have been identified by another researcher as far back as September 2023, but the bug was allegedly closed without a fix. Lovense did not respond to an email from TechCrunch.
