Posts

• Dec 20, 2017

  Account Takeover Due to Misconfigured Login with Facebook/Google

  The mobile applications that uses Login with Facebook or Login with Google, I’ve found more than 70% of them suffers a misconfiguration in validating the tokens at their backend which leads to account takeover.

• Aug 20, 2017

  Zomato Account Takeover using Victim's Facebook ID

  This was an issue, I reported to Zomato a few months back where an attacker could have compromised any user’s account who had linked their Facebook with Zomato. And since most of the people use Login with Facebook nowadays, I was actually able to gain access to over 1000s of user accounts.

• Aug 19, 2017

  Extracting Sensitive PII From a Tracking Number in Grab Parcel

  While checking out Grab Parcel website, I found a link that looked a bit suspicious to me as it was from a different domain.

subscribe via RSS