Jun 19, 2024
Advisories
Recently, Tools for Humanity partnered with the German HackerOne Club to run a one-week virtual and in-person Hacking Meetup. In the course of the meetup, a critical vulnerability within the Sign-in with World ID implementation was found, which affected the OpenID Connect form_post Response Mode and could allow malicious actors to take over end-user accounts at third-party applications that utilize the Sign-in with World ID mechanism. The vulnerability was addressed within a few hours after triage.
4 min read
Jun 18, 2022
Advisories
This post gives an insight into a sensitive data exposure vulnerability in Asana for Mac that was rated as P1 and was awarded a bounty.
This was the very first report of that kind for me. Still, I think this type of deployment and build chain issue is more common than one may think.
5 min read
Dec 18, 2021
Advisories
This post gives a deep dive into a critical security flaw that was present in Flickr’s login flow.
The authentication at identity.flickr.com is implemented using AWS Cognito. By exploiting configuration issues and violations of the OpenID Connect specification, it was possible to takeover any Flickr account without user interaction.
8 min read
Dec 15, 2020
Advisories
The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.
5 min read
Nov 01, 2020
Advisories
The following (slightly modified) advisory was sent to GitLab using Hackerone on 19th June 2020.
5 min read
Oct 11, 2020
Advisories
The following (slightly modified) advisory regarding macOS 10.15.6. (Catalina) was sent to Apple Product Security on 25th August 2020.
5 min read
May 09, 2019
Advisories
The following (slightly modified) advisory was sent to the TYPO3 security team (security@typo3.org) on 28th January 2019.
4 min read