Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, April 7th, 2026: Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9882.mp3
Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass
00:00
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
How often are redirects used in phishing in 2026?
https://isc.sans.edu/diary/How%20often%20are%20redirects%20used%20in%20phishing%20in%202026%3F/32870
Hackerone Suspends Internet Bug Bounty
https://hackerone.com/ibb?type=team
https://www.linkedin.com/posts/danielstenberg_hackerone-share-7446667043380076545-RX9b/
Bluehammer Windows 0-day Privilege Escalation
https://github.com/Nightmare-Eclipse/BlueHammer
https://deadeclipse666.blogspot.com/2026/04/public-disclosure.html
https://deepwiki.com/Nightmare-Eclipse/BlueHammer
Keycloak MFA Bypass CVE-2026-3429
https://access.redhat.com/security/cve/cve-2026-3429
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, April 7th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity. Jan today followed up on a recent diary of mine. In this diary I mentioned that we do see quite a few attackers that are scanning our honeypots for possible open redirects. There are a couple reasons why they may be doing this. And one of the suggestions was that these redirects are being used for phishing. And Jan sort of followed up on that and looked at recent phishing emails and tried to figure out how many of these recent phishing emails are using open redirects. So just to be clear about this, an open redirect is a bug vulnerability in a website that allows an attacker to essentially use this website as a conduit in a phishing attack where the user is first being sent to the harmless website, which will then automatically redirect the user to the actual phishing website. This is different from a compromised website where an attacker did add a redirect like this to the particular website. So these open redirects are indeed used quite commonly. Jan found them in about 20 to 30% roughly of different phishing emails that Jan looked at. And of course they're dangerous in so far because these websites being used as a redirect here have usually a good reputation score, are not malicious, not compromised, and with such can often be unused to sort of serve as an early first hop in the phishing email chain, which does allow it to pass through many email filters. And HackerOne has announced last week that they're suspending their internet bug bounty. What was special about the internet bug bounty was that it was really trying to solicit bugs and security vulnerabilities really for open source projects. And then the bounty was actually split between the hacker who found the vulnerability and the open source program. Now, the reason behind that suspension is, well, I could have guessed it, that due to AI generated bugs, they have a huge increase in the number of vulnerabilities being reported. However, the story isn't all bad. This is also about many of these vulnerabilities being real and being good findings, but it just takes more time to basically vet them. And of course, then for open source projects to fix these vulnerabilities, which is why this program, at least for now, is suspended. It's not discontinued. There was a related post from the maintainer of Curl. Now, he has been very vocal about some of the AI slop he received in the past. But according to him, lately, some of the vulnerabilities or really issues being reported are real and certainly valuable. The problem there is just that some of them are really more functional issues and maybe nothing that really should be fixed depending on really the use case of this fairly unique tool curl, which sometimes is supposed to act a little bit different or send some invalid HTTP requests. So we'll see where this all goes. But it looks like there has been really in the last few months a substantial increase in the quality of vulnerabilities being reported by AI tools. And talking about bug bounties and how they sometimes can go wrong, there was apparently a dispute between a researcher and Microsoft about a vulnerability in Microsoft Defender. The end result was that the researcher has now published an undocumented proof of concept to GitHub and basically stated, well, this researcher is kind of sick in dealing with Microsoft on this. They're just going to make it public because, well, basically they gave up waiting for Microsoft to either fix it or acknowledge the contribution. Like I said, there wasn't really any documentation how the exploit really worked. However, since then, a couple other researchers have figured out that this particular exploit does abuse time of use, time of check or race condition issue in Microsoft Defender. And as a result, a normal user can either become admin or system. That depends a little bit on the platform and people had slightly different results here that I saw posted to various social media sites. Also, the code as posted was at least initially not fully functional, but has since been fixed by these researchers who ran it. So it's definitely a valid vulnerability, even though not terribly easy to exploit. And yes, just a privileged escalation vulnerability. And of course, no patch available at this point. And the popular open source authentication server Keycloak has released an update. Usually I don't talk about moderate severity vulnerabilities, but this one is kind of interesting. It does allow an attacker to remove a second factor from an account that is authenticated via Keycloak. The bug here is a vulnerability in the REST API where an attacker can essentially send a request and does not actually have to have possession of the second factor in order to remove it from the account. And of course, an attacker who just has username and password could use this to then bypass multi-factor authentication. There are a number of other vulnerabilities being patches updates. So definitely take it serious and do update it. In particular, this vulnerability also appears to be relatively easy to exploit. Well, and this is it for today. Just a quick note that there will be no podcast on Friday this week due to my travel schedule. But other than that, I hope you're leaving good reviews in your favorite podcast platform and talk to you again tomorrow. Bye.
This site is powered by your submissions, so tell us what you see happening
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 