bug-bounty622
facebook464
xss316
google151
rce105
microsoft97
apple65
csrf61
account-takeover54
web354
writeup51
exploit42
sqli41
cve37
ssrf35
cloudflare33
dos33
malware29
privilege-escalation29
defi28
smart-contract-vulnerability25
idor24
subdomain-takeover24
ethereum23
smart-contract23
clickjacking23
access-control21
node21
vulnerability-disclosure21
browser20
auth-bypass20
lfi19
aws19
remote-code-execution18
react17
cloud17
reverse-engineering16
cors16
docker16
oauth15
info-disclosure15
race-condition15
solidity14
authentication-bypass14
supply-chain13
phishing13
wordpress12
denial-of-service11
sql-injection11
delegatecall11
0
A security researcher discovered a CORS misconfiguration on a mobile app API that accepted arbitrary origins and included Access-Control-Allow-Credentials, allowing credential-based requests from attacker-controlled domains. Despite identifying the vulnerability, exploitation was limited due to high attack complexity (API only accessible in mobile app), though a proof-of-concept demonstrated the ability to exfiltrate sensitive account information when credentials were available in the browser.
cors-misconfiguration
cross-origin-resource-sharing
bug-bounty
mobile-app-security
api-security
access-control-allow-credentials
network-interception
frida
burpsuite
credential-theft
proof-of-concept
web-security
Smaran Chand
Bugcrowd
Frida
Burpsuite
Firefox
XMLHttpRequest