H1–4420: From Quiz to Admin — Chaining Two 0-Days to Compromise An Uber Wordpress
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/
A newly disclosed Instagram security issue, confirmed by Facebook, exposed user account details and phone numbers
https://www.forbes.com/sites/zakdoffman/2019/09/12/new-instagram-hack-exclusive-facebook-confirms-user-accounts-and-phone-numbers-at-risk/
https://www.forbes.com/sites/zakdoffman/2019/09/12/new-instagram-hack-exclusive-facebook-confirms-user-accounts-and-phone-numbers-at-risk/
Forbes
Instagram Confirms Security Issue Exposed User Accounts And Phone Numbers—Exclusive
A researcher exposed private user account details and phone numbers by combining two separate security exploits.
Finding Hidden API Keys & How to use them
https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d
https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d
Medium
Finding Hidden API Keys & How to use them
Hi Everyone,
2019-09-12 | SBOM, 10K bug in Chrome, and CORS CORS CORS
https://www.hackerone.com/zerodaily/2019-09-12
https://www.hackerone.com/zerodaily/2019-09-12
Hackerone
2019-09-12 | SBOM, 10K bug in Chrome, and CORS CORS CORS | HackerOne
Thursday, September 12, 2019 The times they are a changin. New hacker community role for your Editor, means new flair coming soon with Zero Daily. Expect more hacker stories, profiles, hacktivity highlights, CTF writeups, and poc data you wont get anywhere…
ZeroMQ libzmq remote code execution
https://hackerone.com/reports/477073
https://hackerone.com/reports/477073
HackerOne
Internet Bug Bounty disclosed on HackerOne: ZeroMQ libzmq remote...
Bug report and exploit: https://github.com/zeromq/libzmq/issues/3351
Fix by me: https://github.com/zeromq/libzmq/pull/3353
My motive for full disclosure is as follows:
```
Is it true that it is...
Fix by me: https://github.com/zeromq/libzmq/pull/3353
My motive for full disclosure is as follows:
```
Is it true that it is...
XSS while logging using Google
https://hackerone.com/reports/691611
https://hackerone.com/reports/691611
HackerOne
Shopify disclosed on HackerOne: XSS while logging using Google
Hello Security Team,
I have found xss when we enable login services as,
Allow staff to use external services to log in to Shopify and we enable Google Apps for login
we get the " Log in with...
I have found xss when we enable login services as,
Allow staff to use external services to log in to Shopify and we enable Google Apps for login
we get the " Log in with...
Exploiting JSONP and Bypassing Referer Check
https://medium.com/bugbountywriteup/exploiting-jsonp-and-bypassing-referer-check-2d6e40dfa24
https://medium.com/bugbountywriteup/exploiting-jsonp-and-bypassing-referer-check-2d6e40dfa24
Medium
Exploiting JSONP and Bypassing Referer Check
Hi Folks, hope you are all fine, so this writeup is about exploiting JSONP to extract private data from API endpoints and bypassing the…
When i found multiple command injection
https://medium.com/@chawdamrunal/when-i-found-multiple-command-injection-ad891d3ad9e6
https://medium.com/@chawdamrunal/when-i-found-multiple-command-injection-ad891d3ad9e6
Medium
When i found multiple command injection
Hello guys,
How two dead accounts allowed REMOTE CRASH of any Instagram android user
https://www.valbrux.it/blog/2019/09/13/how-two-dead-users-allowed-remote-crash-of-any-instagram-android-user/
https://www.valbrux.it/blog/2019/09/13/how-two-dead-users-allowed-remote-crash-of-any-instagram-android-user/
Valbrux
How two dead accounts allowed REMOTE CRASH of any Instagram android user - Valbrux
Facebook bug bounty remote crash bug
I've been added to Facebook's thanks list. In honor of this, I am sharing with you the POC videos of my first report($1500).
POC 1: youtu.be/YKgLGahkSGw
POC 2: youtu.be/AZyEgF-ksek
Via: https://twitter.com/cyanpiny/status/1172595459099115526
POC 1: youtu.be/YKgLGahkSGw
POC 2: youtu.be/AZyEgF-ksek
Via: https://twitter.com/cyanpiny/status/1172595459099115526
YouTube
instagram_live_DOS_0001
👍1
DOM XSS via Shopify.API.remoteRedirect
https://hackerone.com/reports/646505
https://hackerone.com/reports/646505
HackerOne
Shopify disclosed on HackerOne: ██████ DOM XSS via...
Hi, team.
I found a dom xss on the apple-business-chat app that seems to be referring to a vulnerable js file.
For users who have installed this app, just let him use the theme code I provided to...
I found a dom xss on the apple-business-chat app that seems to be referring to a vulnerable js file.
For users who have installed this app, just let him use the theme code I provided to...
Simple Voice-Command SQL Injection Hack into Alexa Application
https://www.protego.io/voice-command-sql-injection-hack/
https://www.protego.io/voice-command-sql-injection-hack/
Forwarded from Android Security & Malware
ES File Explorer - Authentication bypass via insecure FTP Activity execution
3rd party app can bypass master password to starting local FTP server. Because of that, attacker on local network could access files on device without authentication.
https://medium.com/@bhaveshthakur2015/cve-2019-11380-how-i-was-able-to-access-complete-storage-of-es-fileexplorer-end-user-9bd8da5ac3b8
3rd party app can bypass master password to starting local FTP server. Because of that, attacker on local network could access files on device without authentication.
https://medium.com/@bhaveshthakur2015/cve-2019-11380-how-i-was-able-to-access-complete-storage-of-es-fileexplorer-end-user-9bd8da5ac3b8
Medium
CVE-2019–11380 | How I was able to access complete storage of ES-FileExplorer End user
ES-file explorer was a very popular file manager having more than 30 lac downloads on play store. I found a critical vulnerability by…
List of Google Dorks for sites that have responsible disclosure program / bug bounty program
https://github.com/sushiwushi/bug-bounty-dorks/
https://github.com/sushiwushi/bug-bounty-dorks/
GitHub
GitHub - sushiwushi/bug-bounty-dorks: List of Google Dorks for sites that have responsible disclosure program / bug bounty program
List of Google Dorks for sites that have responsible disclosure program / bug bounty program - sushiwushi/bug-bounty-dorks
Forwarded from Android Security & Malware
Bypass iOS 13 Lockscreen to see contacts info
https://youtu.be/pW0TTnBCA04
https://youtu.be/pW0TTnBCA04
YouTube
With No Enter the Passcode you can See Contacts info. iOS 13 Feature. Read denoscription please.
Follow me on Twitter for more coming.
http://twitter.com/intent/follow/user?screen_name=vbarraquito
Original video shared to Apple on July 17:
https://youtu.be/7eWJkePoNAU
Sent to Apple in July 2019 as part of a report of two security flaws (Lock screen…
http://twitter.com/intent/follow/user?screen_name=vbarraquito
Original video shared to Apple on July 17:
https://youtu.be/7eWJkePoNAU
Sent to Apple in July 2019 as part of a report of two security flaws (Lock screen…
Clicking "http://burp" hyperlink on FireFox CA Installation guide redirects to "burp.com" (unclaimed website).
https://hackerone.com/reports/694749
https://hackerone.com/reports/694749
HackerOne
PortSwigger Web Security disclosed on HackerOne: Clicking...
Executive Summary
---------------------------------------------------
I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a...
---------------------------------------------------
I was in the process of installing Burp suite community edition on my recent machine where I believe I stumbled across a...