On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server.
Between March 2023 and May 2023, we identified multiple security vulnerabilities within points.com, the backend provider for a significant portion of airline and hotel rewards programs. These vulnerabilities would have enabled an attacker to access sensitive customer account information, including names, billing addresses, redacted credit card...
While we were visiting the University of Maryland, we came across a fleet of electric scooters scattered across the campus and couldn't resist poking at the scooter's mobile app. To our surprise, our actions caused the horns and headlights on all of the scooters to turn on and stay on for 15 minutes straight.
On August 24th, 2022, we reported a vulnerability to Netlify affecting their Next.js "netlify-ipx" repository which would allow an attacker to achieve persistent cross-site scripting and full-response server side request forgery on any website out of the box.
Jackpot, full arbitrary account takeover of any chess.com user!
Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.
After a long day of trying and failing to find vulnerabilities on the Verizon Media bug bounty program I decided to call it quits and do some chores. I needed to buy gifts for a friends birthday and went online to order a Starbucks gift card.
Nearly every one of the successful bug bounty hunters I've met all seem to have one thing in common, and that is that they absolutely love what they do.
Rocket League gives out in-game "white hats" for your character to wear if you submit, what is deemed by them, to be a "severe security vulnerability". Over the idle time provided by the ongoing pandemic, I decided why not try my luck at getting one of these items.
I was in San Francisco the few days leading up to me finding this bug with some friends. We’d spent the day hacking before a few of us were traveling to Vegas for DEF CON the next day. Some of them were going on a road trip and I decided to join them at the last minute, trading my seat for a travel voucher and leaving my checked baggage with all...
The CVE-2019-14994 vulnerability allows an attacker, if able to access the customer portal, to traverse to the administrative portal and view issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects
One of the more interesting things I've had the opportunity to hack on is the Tesla Model 3. It has a built in web browser, free premium LTE, and over-the-air software updates. It's a network connected computer on wheels that drives really fast.
One of the more common vulnerabilities on ASP.NET applications is local file disclosure. If you've never developed or worked with this technology, exploiting LFD can be confusing and often unfruitful. In the following write up I describe approaching an application that ended up being vulnerable to LFD, then going on to exploit it.
The specific application that I've been targeting over the last few weeks is a bitcoin gambling website where a stock will progressively rise over time. The gambler decides the amount of money they would like to put in and a multiplier to payout at. As the multiplier goes up, they have an option to click a button and receive whatever returns they...
When I'm not doing bug bounty or studying for school I'll often be playing Counter-Strike: Global Offensive or PLAYERUNKNOWN'S BATTLEGROUNDS. Both of these games are awesome and really fun to play, but something interesting about them is that their tradable in-game items are very valuable. Due to the high prices of items and often underage...
The Yahoo small business platform was storing user information in a set of directories that were protected simply by obscurity. The attacker, with knowledge of the victims email, could run an wordlist against a very predictable/guessable service ID and receive information from the response in order to view the victims payment information.
The following article details the successful exploitation of a server sided request forgery vulnerability in Yahoo's small business platform.
If you decided to go out and spontaneously develop a content management system one of the most crucial and necessary setups would be the authentication of user accounts. This function is generally accomplished through designation of a username and password (normally created by the user), but can get messy when you have to deal with real world...
On the night of May 20th I had begun to develop a small headache and neck pains after spending days looking at Yahoo's messenger application. I couldn't get a grasp of how it operated, so I stepped outside and made the decision to find a new target.
Thinking back to old forum days I can specifically remember an event where attackers modified their avatars to be invalid pages that responded with "HTTP 401 Unauthorized". This didn't really seem like an issue because there was interaction required by the users and the community was smart enough to simply close the prompt. After a long night of...
When looking at bug bounty programs that have existed for a long time it’s often beneficial to assume that every public facing page has already been automatedly scanned to death. In many cases this isn’t valid because of the types of tools people use, different scopes people prefer, or the tendency for these scanners to break or return false...