bug-bounty507
xss274
rce154
google122
bragging-post119
account-takeover115
facebook111
privilege-escalation101
exploit98
malware97
authentication-bypass95
open-source94
microsoft90
csrf87
access-control78
stored-xss75
cve73
ai-agents67
web-security66
reflected-xss63
phishing60
information-disclosure52
input-validation52
sql-injection51
smart-contract49
privacy49
cross-site-scripting48
ssrf48
defi48
tool46
reverse-engineering46
ethereum46
writeup45
api-security45
ai-security41
apple40
vulnerability-disclosure40
web-application38
llm38
opinion37
burp-suite37
automation36
web336
responsible-disclosure35
credential-theft35
remote-code-execution34
supply-chain34
race-condition34
browser33
infrastructure33
0
8/10
ByteDance's Pangle SDK, embedded in 40+ popular apps including Duolingo and BeReal, transmits sensitive device fingerprinting data (battery level, IP address, storage, IDFV) encrypted with AES-256-CBC where the encryption key and IV are embedded in every message in plaintext, making the encryption trivial to break via reverse-engineered SDK code. Additionally, a hardcoded AES key was found in the native library, shared across all SDK versions.
encryption-weakness
reverse-engineering
bytedance
pangle-sdk
mobile-security
data-collection
cryptanalysis
device-fingerprinting
aes-encryption
android-security
ios-security
privacy
tldr-weak-key-management
ByteDance
Pangle SDK
Duolingo
BeReal
Character.AI
Wattpad
Letterboxd
HelloTalk
SmartNews
Sweatcoin
CamScanner
libtobEmbedPagEncrypt.so
libpglarmor.so
PangleEncryptManager.java
PglCryptUtils.java
aT.java
AES-256-CBC
ECIES
api16-access-ttp.tiktokpangle.us