This post details a functional bug which bypasses Twitter’s business logic through which it allows users to access direct message conversations after client-side deletion has taken place, as well as any conversations had with user accounts that are in a suspended or deactivated state. The bug allows users to retrieve all content of such conversations, […]Read more "Retrieving deleted direct message conversations on Twitter"
Introduction The purpose of this article is to demonstrate how the personal phone number linked to any given Aadhaar can be extrapolated due to problems in implementation of the text-based authentication mechanism which websites offering Aadhaar authentication rely on. Websites which make use of text-based (OTP) Aadhaar authentication display to the user only the last […]Read more "Extracting personal phone numbers linked to Aadhaar"
Introduction This post details an issue which allows for enumeration of the last four digits of payment method (such as a credit or debit card) and for the disclosure of account balance and recent transactions of any given PayPal account. This attack was submitted to PayPal’s bug bounty program where it was classified as being […]Read more "PayPal: Disclosure of account balance and recent transactions"
Introduction In the current age of information, any technology you own could potentially be used as an avenue for attack, including your mobile phone. In writing and publishing this piece, I am hoping to highlight the risk of linking a single invariable phone number across all of your online accounts, and how doing so could […]Read more "Fuzzing for obfuscated phone numbers"