Vulnerabilities (Page 2)

Cross-Account Container Takeover in Azure Container Instances

tl;dr Cool chain to escape and impact other containers on Azure Container Instances hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.


Create free Shopify application credits

The Shopify GraphQL endpoint has a mutation appCreditCreate for Shopify apps to issue credits to merchants that can be used towards future app purchases.While this mutation cannot be used through the GraphQL endpoint at /admin/internal/web/graphql/core the GraphiQL app provided by Shopify however does allow the mutation…


Bypassing a Magic Number Check for Code Injection

Easy vulnerability that shows how checking the magic numbers of a file isn’t always sufficient.For some types of files all that matters is that the processor can detect its own content within another file…


Replay-based attack on Honda and Acura vehicles

The title pretty accurately describes this issue, there is little to no security implemented within Honda and Acura keys/remotes.An attacker can simply capture and then replay it at a later time to the vehicle…


Three Facebook Bugs Leading to Account Takeover

tl;dr - The Oauth endpoint parses URL paramters redirect_uri and redirect_uri[0 (note the missing ]) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the redirect_uri while the endpoint validates that the other value points to a whitelisted location


SnapChat Exposes "One Tap Passwords" for any user

I’m not sure what the normal flow for a “One Tap Password” is but /scauth/otp/droid/logout can be used to retrieve OTP token in the response. Which can be passed to /scauth/otp/login along with the username to login.