When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by […]
Multiple vulns on mTouch Quiz WordPress plugin
Plugin link: https://wordpress.org/plugins/mtouch-quiz/ Active Installs: 5,000+ Version tested: 3.1.2 CVE Reference: Waiting mTouch Quiz lets you add quizzes to your site. This plugin was designed […]
XSS on a input hidden field
…where you have the input sanitized for ‘<> chars. I come across a web application on a bounty program where the returnurl was placed in […]
Workable Reflected File Download
For those who don’t know Workable.com… Workable is affordable, usable hiring software. It replaces email and spreadsheets with an applicant tracking system that your team […]
Should bug hunters provide real personal data on bug appreciation programs?
That’s a question that sometimes comes in mind of many “hunters”. Personally in most cases, when I participate on these programs, I use fake information […]
DepositFiles ZeroClipboard.swf XSS
DepositFiles is a file storage website and one of the most popular ones. They’re online since 2005 and recently they start using dfiles.eu domain instead […]
A few words about Anonymous to Tek Sapo
Luis Grangeia and I talked to portuguese media Tek Sapo about Anonymous and terrorism. Worth taking a look into the article. [portuguese only]
Bytes that Rock voting manipulation
Rocky Bytes is a company well known for its informative reviews and news on all the latest games and programs. Each year they promote Bytes […]
Tiny XSS exploitation
A well-known website had a limit of 32 chars on the user name field that was reflected in the public profile area. That field allowed […]
Thanks Edmodo for the swag
Got some cool gifts from Edmodo. Always glad to help others to improve their security 🙂