Business Logic Vulnerabilities Series: Hot Fixes Getting Cold, A journey of 7 Versions/Years of a sole Facebook vulnerability!

Hi Folks, This is the third part of A brief on Abusing Invitation Systems blog post, In case you have missed the previous parts of this story of write-ups, it is advised to have a sneak peak at the First & Second part before you go on with this post. So before we kick off to our case study let’s get a brief about some technical terms first, I am Ali Kabeel an Application Security Intern at Seekurity and let’s dive in…

Continue reading “Business Logic Vulnerabilities Series: Hot Fixes Getting Cold, A journey of 7 Versions/Years of a sole Facebook vulnerability!”

Share

Fitbit – APIs and Access Control Failures, a simple API bug allowed to harvest millions of user private activities!


In this write-up we will show you how Seekurity team was able to harvest all the user’s private/custom activities leaves more than 20 million private custom activities data in danger.

First of all, this write-up is not a new one and the discovery itself is dated back to 2017 but we decided to disclose it right now after we gave Fitbit the reasonable amount of time to patch the vulnerability and to protect the health data about the users!

Continue reading “Fitbit – APIs and Access Control Failures, a simple API bug allowed to harvest millions of user private activities!”

Share

CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!

Today’s discovery is not a big deal too, just another Clickjacking in the world, but this time in the newly added “OPT-IN” feature by coinhive and authedmine but first let’s know some terms before we begin.

What is Coinhive?

Coinhive is a cryptocurrency mining service that relies on a small chunk of javascript code designed to be installed on Web sites.

Continue reading “CryptoJacking by Clickjacking: Bypassing Coinhive OPT-IN feature and trick users into Cryptocurrency mining!”

Share

United Nations (UN) – A tail of leaking thousands of Job Applicants CVs and documents online, Path Disclosure and Information Disclosure Vulnerabilities!

In this blogpost we will clarify how we found A tail of vulnerabilities from leaking thousands of Job Applicants CVs and documents online to Path Disclosure and Information Disclosure Vulnerabilities in one of United Nations WordPress websites but first what is United Nations?

The United Nations (UN) is an intergovernmental organization tasked to promote international co-operation and to create and maintain international order. A replacement for the ineffective League of Nations, the organization was established on 24 October 1945 after World War II with the aim of preventing another such conflict. At its founding, the UN had 51 member states; there are now 193. The headquarters of the UN is in Manhattan, New York City, and is subject to extraterritoriality. Further main offices are situated in Geneva, Nairobi, and Vienna. The organization is financed by assessed and voluntary contributions from its member states. Its objectives include maintaining international peace and security, promoting human rights, fostering social and economic development, protecting the environment, and providing humanitarian aid in cases of famine, natural disaster, and armed conflict. The UN is the largest, most familiar, most internationally represented and most powerful intergovernmental organization in the world. –Wikipedia

Continue reading “United Nations (UN) – A tail of leaking thousands of Job Applicants CVs and documents online, Path Disclosure and Information Disclosure Vulnerabilities!”

Share

Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!

Hi Guys,
I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook fixes for 4 consecutive years.In case you are not familiar with concepts, take a sneak peak on the previous blog before continuing with this one ;).

Continue reading “Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!”

Share

Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability

What is Asus Control Center?

ASUS Control Center is a whole new centralized IT management software. The software is capable of monitoring and controlling ASUS servers, workstations, and commercial products including notebooks, desktops, All-in-One (AiO) PCs, thin client, and digital signage.

Continue reading “Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability”

Share

Fuga de datos en Aliada, la limpieza empieza por la casa…

Hace algún tiempo mientras realizabamos una búsqueda en Google de archivos con extensión “TXT”, nos encontramos con que Google había indexado un archivo de una URL que contenía un nombre muy familiar… Aliada.

Para los que no conocen que es Aliada, aquí la descripción que se encuentra en su sitio web:

“Aliada es la plataforma que permite crear la conexión ideal entre mujeres que pueden ofrecer servicios de limpieza y personas que necesitan ayuda en su casa u oficina.”.

Continue reading “Fuga de datos en Aliada, la limpieza empieza por la casa…”

Share

Hijacking User’s Private Information access_token from Microsoft Office360 facebook App

Hi Guys, Today i would like to show you how a single misconfiguration issue would jeopardize the user’s privacy if maliciously exploited hence hijack user “access_token” from Microsoft Office360 facebook App. Microsoft decided that this Office365 facebook app is NOT under their Microsoft Online Services bug bounty scope although we proved that our discovered bug can result in stealing Microsoft Office facebook App Access Token and that’s due to a misconfiguration in Microsoft Office Facebook App itself.

Continue reading “Hijacking User’s Private Information access_token from Microsoft Office360 facebook App”

Share

Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!

(Photo Illustration by Thomas Trutschel/Photothek via Getty Images)

Hi Guys, I hope all of you are doing great and in a well state.

Today i will show you a ClickJacking bug i found in Instagram that allowed me to iframe ajax responses and leads attackers to steal your instagram connected applications tokens hence hijack your account!

Continue reading “Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability!”

Share

The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability!

Hi Guys, How are you doing? Well i’ll consider and hope the answer is “Fine”… Today i will show you a bug i found in Facebook without even using any kind of testing tools BUT those kind of bugs requires what’s more than tools, it requires a hawk-eye, A platform-aware bug hunter mentality, a poet and an awesome morning cup of coffee, So don’t expect to gain technical skills from this blog post, only some pro tips and hunting mentality experience!

This is merely the second time i’m sending a report to Facebook Security Team without writing a piece of code!

Continue reading “The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability!”

Share