This post gives an insight into a sensitive data exposure vulnerability in Asana for Mac that was rated as P1 and was awarded a bounty.

This was the very first report of that kind for me. Still, I think this type of deployment and build chain issue is more common than one may think.

This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.

The authentication at identity.flickr.com is implemented using AWS Cognito. By exploiting configuration issues and violations of the OpenID Connect specification, it was possible to takeover any Flickr account without user interaction.

The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.