Vulnerabilities (Page 54)

Replay-based attack on Honda and Acura vehicles

The title pretty accurately describes this issue, there is little to no security implemented within Honda and Acura keys/remotes.An attacker can simply capture and then replay it at a later time to the vehicle…

 

Three Facebook Bugs Leading to Account Takeover

tl;dr - The Oauth endpoint parses URL paramters redirect_uri and redirect_uri[0 (note the missing ]) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the redirect_uri while the endpoint validates that the other value points to a whitelisted location

 

SnapChat Exposes "One Tap Passwords" for any user

I’m not sure what the normal flow for a “One Tap Password” is but /scauth/otp/droid/logout can be used to retrieve OTP token in the response. Which can be passed to /scauth/otp/login along with the username to login.

 

Open Redirects in JetBrains Applications leading to Account Hijacking

After finding an open redirect in Datalore’s endpoint for authenticating via JetBrains, the author dug into the auth process to see if it could be turned into an attack.They discovered that if an auth_url parameter was specified (which had to be a valid jetbrains subdomain), Datalore would send the user as as well as their JWT token to the given URL…

 

IDOR in Undocumented Method of JetBrain's YouTrack

When looking into the API internals of JetBrain’s YouTrack, the author discovered an undocumented endpoint for getting issue descriptions without any styling or markdown.This endpoint was not protected with role validation or any user authentication at all, likely because it’s only meant to be used internally…