Cookie stuffing: How we are part of a fraud of millions of dollars

COOKIEFRAUD

What is Cookie stuffing fraud?

Is an activity which allows actors online to defraud affiliate marketing programs by causing themselves to receive credit for purchases made by web users (for this case users who made an online purchase in Amazon, Walmart, eBay or any other Online Store), even if the affiliate marketer didn’t actively perform any marketing for the affiliate program. It occurs when a fraudulent publisher, tricks a web user’s browser into visiting an Online Store, that the web user didn’t intent to visit. This links causes to the Online Store to record that the publisher generated the “sale” and gives the fraudulent publisher credit for any purchases the web user might make.

Continue reading

Share

TopCoder.com Vulnerabilities – A tail of site-wide bugs leads to accounts compromise & payments hijacking

TopCoder_logo

Hi Folks,
TopCode.com is a website where the most skilled top coders around the world are solving challenges, Competing and writing codes to achieve a specific tasks. Top high profile companies like (Facebook, Google, Twitter, etc..) are getting help from such websites in their recruitment process!

Continue reading

Share

Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features

 

Introduction:

Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!

Yammer is a freemium enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user’s Internet domain so that only individuals with approved email addresses may join their respective networks.

Continue reading

Share

When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure!

badoo10

Your privacy on the internet is the biggest concern ever and when it comes to “Dating websites” and “Social Networks” it means more and more!

Let me tell you a story of two websites that don’t respect yours and putting it on danger…

Continue reading

Share

Fiverr.com Full Accounts Takeover – A Vulnerability Puts $50 Million Company At Risk

Fiverr_logo__tagline

Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk.

Fiverr raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release.

Continue reading

Share

Facebook Vulnerability – a “Cute Bug” that reveals the “likes” of deleted posts regardless of their privacy settings

facebook-content-banner-2
Hi Folks,
My name is Mohamed Abdel Aty, an Egyptian Web Developer & Bug Hunter, Today I would like to share with you a “cute” bug I found while doing some bug hunting in Facebook.

Testing different sub-domains is a common procedure in bug hunting , while searching the domain “mbasic.facebook.com” I noticed this link

Continue reading

Share

FirefoxOS Find My Device Service Clickjacking Bug results in Changing PINs, Wiping and Locking Phones!

firefox-bug

Introduction:

Physical devices connected with web applications made everything easy to be managed. Screen size, availability, usage etc… is what pushing everyone to manage their devices through their desktops/laptops! On the other hand such advantages poses a threat if these web applications contains security issues!

For example android devices can be managed through “Google Device Manager”,  iOS devices can be managed by “iCloud service”, Windows Phone devices can be managed via your Microsoft account, FirefoxOS devices can be managed also through your Mozilla account and finally Internet of Things devices or (IoT) are connected to their own vendors dedicated web apps!!

Continue reading

Share

Facebook movies recommendation vulnerability – A bug capable of erasing all your important notifications!


Hi Folks,

Facebook is the largest social network ever known on the internet, People are using Facebook for contacting friends, Family and sometimes for Work!

When it comes to Work that means an important notifications from your company’s page, work account, work admins, business accounts, etc…

Continue reading

Share

WhatsApp Clickjacking Vulnerability – Yet another web client failure!

s

Hi Folks,
I know it’s a little bit lame to mention 2 clickjacking vulnerabilities in row but that what bug hunters always do exposing the largest companies security failures, (Previously was Telegram) this time is the gigantic well-known 19 billion dollar messenger WhatsApp.

Continue reading

Share

Official Telegram Web Client ClickJacking Vulnerability – When crypto is strong and client is weak

Telegram-Banner

 

[*] Introduction:

Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!

Continue reading

Share