A heap overflow that was found in-the-wild by Google’s Threat Analysis Group (TAG) in Chrome. This bug was in the texture subsystem for webGL GLES with textures created from a shared image, which bypasses the texture manager’s tracking of the max_levels for mipmaps.
Simple enough vulnerable, a POST parameter was directly unserialized, which would often be pretty damning, but vBulletin apparently had put in some effort to make it hard to exploit.
A bit of research on leaking access tokens from OAuth2/OIDC flows, in all cases you already need a cross-site scripting vulnerability to exist on the host recieving the callback, it does present an interesting case of escalating two often unimportant issues, a self-XSS and a Login CSRF, into an account takeover though.
DOM-based XSS in Facebook via Instant Games (a newer feature being gradually rolled out).The vulnerability here is in the goURIOnWindow function which is used for supplying the window location and verifying it…
Simple token leakage bug in Oculus endpoints due to migration from using Facebook accounts to Meta accounts.Where the first party access token was previously difficult to leak due to redirects being made through JavaScript, with the new meta authentication flow, redirection was done directly via URL with the token…
A rather simple bug in validating the origin of a Cross-window message due to inappropriately handling null values.
Starts off with an exposed activity in the KAYAK app, ends up with session hijacking.
BBCode XSS chained with an admin panel SQL injection for potential for code execution.
Service had a proxy.You would go through the oauth flow to get access to Google data, then it had an endpoint that would proxy requests adding the Authorization: header to them to the google backend…
Fun little CSS injection turned full-read SSRF thanks to an (imo) overly powerful PDF generator.
Another type confusion spawned from the usage of unions.This bug occurred in the COM+ (Component Object Model) event system services’ InMemoryRegRow::PutPropertyBag() method when handling PROPVARIANT objects (a generic container object that can hold integers or COM pointers)…
Multiple vulnerabilities were announced in Git, the most interesting to me though are the integer overflows in parsing .gitattributes leading to out-of-bounds reads and writes.
Straight-forward issue, but kinda fun as it impacts the network code in several first-part Nintendo games across multiple consoles (3DS, Wii U, Switch).The NetworkBuffer in the network library has two methods Add and Set which are used to fill the backing buffer with data from the network…
The last time we covered a “how to exploit a null-deref in the modern era” post we were…disappointed (and potentially attacked by North Korea but that’s another story), this one is legit. Rather than focusing on the null-deref as the core memory corruption though, it abuses the handling of the null-dereference with a kernel oops and the side-effects of the oops to overflow a reference count.
Cool, yet simple finding from the DataDog security team where calls to an undocument iamadmin service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.