A CORS misconfiguration on api.artsy.net allows attackers to exfiltrate authenticated user credentials and sensitive data (email, phone, authentication tokens, etc.) by hosting malicious JavaScript that exploits the overly permissive Access-Control-Allow-Credentials and Access-Control-Allow-Origin headers.
A security researcher discovered a CORS misconfiguration on a mobile app API that accepted arbitrary origins and included Access-Control-Allow-Credentials, allowing credential-based requests from attacker-controlled domains. Despite identifying the vulnerability, exploitation was limited due to high attack complexity (API only accessible in mobile app), though a proof-of-concept demonstrated the ability to exfiltrate sensitive account information when credentials were available in the browser.
A comprehensive writeup documenting multiple race condition vulnerabilities discovered across major platforms including Cobalt.io, Facebook, Mega, and Keybase, demonstrating how concurrent requests can bypass security controls for unauthorized financial transactions, account confirmations, and resource redemptions. The article includes detailed exploitation techniques and timelines of responsible disclosure across various bug bounty programs.
A researcher discovered a local file inclusion (LFI) vulnerability on Google's production servers at springboard.google.com through directory enumeration and authorization bypass, escalating from an initial auth bypass to full LFI with admin privileges, ultimately earning a $13,337 bounty from Google's Vulnerability Reward Program.
A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.
Site-wide CSRF vulnerability discovered on Messenger.com where CSRF token (fb_dtsg) validation was completely missing on multiple endpoints, allowing attackers to perform unauthorized actions like changing settings and removing users from group threads. The vulnerability affected all POST requests regardless of whether the token was modified, removed, or omitted entirely.
Article introduces brute-force attacks against web application authentication systems as part of a web security series. Limited technical detail available from snippet alone.
Cloudflare announced a new Account Abuse Protection service in Early Access designed to prevent fraudulent account takeover attacks from both automated bots and human attackers.
A penetration test discovering an XSS vulnerability in a custom-built AI chatbot that can be exploited to achieve zero-click account takeover without user interaction.