bug-bounty621
facebook428
xss316
google101
rce99
csrf60
microsoft56
web355
account-takeover53
writeup50
sqli41
apple38
ssrf34
cve33
exploit32
dos31
privilege-escalation28
defi28
cloudflare27
smart-contract-vulnerability25
idor24
subdomain-takeover24
smart-contract23
clickjacking23
ethereum23
access-control21
vulnerability-disclosure21
malware20
auth-bypass19
remote-code-execution18
lfi17
cors16
reverse-engineering15
race-condition15
cloud15
authentication-bypass14
solidity14
oauth12
info-disclosure12
aws12
browser11
phishing11
sql-injection11
delegatecall11
denial-of-service11
web-application-security10
web-security9
token-theft9
vulnerability9
responsible-disclosure9
0
vulnerability
DuoLingo's TinyCards Android app was vulnerable to content injection attacks due to loading initial web content over unencrypted HTTP instead of HTTPS, allowing MITM attackers to inject arbitrary JavaScript and achieve code execution within the WebView. The vulnerability was fixed in version 1.0 (version code 10) released November 20, 2017.
content-injection
remote-code-execution
android
webview
man-in-the-middle
ssl-bypass
javascript-injection
insecure-transport
mobile-security
http-downgrade
CVE-2017-16905
DuoLingo
TinyCards
Google Play Security Reward Program
Nightwatch Cybersecurity
Yakov Shafranovich