TL;DR: Login CSRF in combination with an HTTP Referer header-based open redirect in Airbnb’s OAuth login flow, could be abused to steal OAuth access tokens of all Airbnb identity providers and eventually authenticate as the victim on Airbnb’s website and mobile application. This attack did not rely on a specific OAuth identity provider app configuration flaw (e.g. wildcards in whitelisted redirect_uri URLs), which made it generic for all Airbnb’s identity providers (Facebook & Google at...| Arne Swinnen
I publicly disclosed a vulnerability that I responsibly disclosed to Ubiquity via the HackerOne platform. It concerned a subdomain takeover issue via Amazon Cloudfront (ping.ubnt.com) in combination with shared session cookies between subdomains on *.ubnt.com, which ultimately lead to a complete Authentication Bypass of their SSO system (sso.ubnt.com). It can be found here.| Arne Swinnen
Introduction| Arne Swinnen
Introduction| Arne Swinnen
TL;DR: A rogue Android app could read any other App’s file metadata: filename, size, last modification date. If a filename contained sensitive predictable data, the rogue Android app could locally brute-force this, which was the case for Instagram on Android. Through the leakage of filesize and last modification date, a rogue Android app could monitor real-time usage of others apps. The file system permissions bug has been present in Android since the very beginning. Google rated this vulne...| Arne Swinnen
TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This could have allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited ...| Arne Swinnen
TL;DR: Instagram contained two distinct vulnerabilities that allowed an attacker to brute-force passwords of user accounts. Combined with user enumeration, a weak password policy, no 2FA nor other mitigating security controls, this could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones. Facebook fixed both issues and awarded a combined bounty of $5.000.| Arne Swinnen
TL;DR: Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (approx. 500 million) were in a vulnerable locked state (approx. 20 million). Facebook fixed the vulnerability within a day and granted a $5.000 bounty 10 days later.| Arne Swinnen
TL;DR: Uber was vulnerable to subdomain takeover on saostatic.uber.com via Amazon CloudFront CDN. Moreover, Uber’s recently deployed Single Sign-On (SSO) system at auth.uber.com, which is based on shared cookies between all *.uber.com subdomains, was found vulnerable to session cookie theft by any compromised *.uber.com subdomain. Therefore, the impact of the subdomain takeover could be increased to Authentication Bypass of Uber’s full SSO system, yielding access to all *.uber.com subdoma...| Arne Swinnen