Single API Key from a Chrome Extension Led to 5.2 Million Exposed Customer Records
作者在探索Chrome扩展时发现某咖啡连锁品牌扩展程序存在IDOR漏洞和不安全API接口,导致敏感凭证暴露。该问题违反了Google政策,在报告后扩展被下架。此案例也反映了Google逐步淘汰Chrome应用的趋势。
Aggregator
Single API Key from a Chrome Extension Led to 5.2 Million Exposed Customer Records
4 months 3 weeks ago
文章描述了一个Chrome扩展的安全漏洞案例:该扩展因暴露不安全API和硬编码密钥导致潜在数据泄露风险。通过负责任的披露,问题得以及时解决,保护了数百万用户的数据安全。
5,000+ Fake Online Pharmacies Websites Selling Counterfeit Medicines
4 months 3 weeks ago
A sophisticated cybercriminal enterprise operating over 5,000 fraudulent online pharmacy websites has been exposed in a comprehensive investigation, revealing one of the largest pharmaceutical fraud networks ever documented. This massive operation, orchestrated by a single threat actor group, targets vulnerable individuals seeking prescription medications through deceptive digital storefronts that mimic legitimate pharmaceutical retailers. The fraudulent […]
The post 5,000+ Fake Online Pharmacies Websites Selling Counterfeit Medicines appeared first on Cyber Security News.
Tushar Subhra Dutta
Submit #625991: Open-Source LitmusChaos 3.19.0 Privilege Escalation via Manipulation of localStorage [Accepted]
4 months 3 weeks ago
Submit #625991 / VDB-319325
maique
Submit #625989: Open-Source LitmusChaos 3.19.0 Unauthorized Project Deletion via Missing Authorization Checks [Accepted]
4 months 3 weeks ago
Submit #625989 / VDB-319324
maique
Submit #625984: Open-Source LitmusChaos 3.19.0 Broken Access Control via Login Response Manipulation [Accepted]
4 months 3 weeks ago
Submit #625984 / VDB-319323
maique
Submit #625982: Open-Source LitmusChaos 3.19.0 Authorization Bypass via LocalStorage [Accepted]
4 months 3 weeks ago
Submit #625982 / VDB-319322
maique
Submit #625956: Open-Source LitmusChaos 3.19.0 IDOR in Project Access Control [Accepted]
4 months 3 weeks ago
Submit #625956 / VDB-319321
maique
Submit #625952: Open-Source Web LitmusChaos 3.19.0 Input Validation Bypass [Accepted]
4 months 3 weeks ago
Submit #625952 / VDB-319320
maique
Submit #625949: Open-Source Web LitmusChaos 3.19.0 Privilege Chaining [Accepted]
4 months 3 weeks ago
Submit #625949 / VDB-319319
maique
So You Wanna Hack 64-bit Binaries?
4 months 3 weeks ago
文章为64位二进制漏洞利用新手提供指南,解释基础概念如寄存器、栈帧、ROP和ASLR,并通过比喻帮助理解。强调无需专业知识,重点在于分析已编译程序的行为异常,并提供解决方案。
Need a Reset | Bugcrowd CTF 2025
4 months 3 weeks ago
文章描述了一个简单的CTF挑战,目标是获得系统管理员权限。作者通过检查页面内容或点击按钮成功获取了管理员访问权限。
Over Bank | Bugcrowd CTF 2025
4 months 3 weeks ago
这篇文章讨论了如何在银行系统中通过特定操作使账户余额变为负数,目标是通过添加正数金额来实现这一目标,并详细介绍了相关挑战和解决方法。
Poisoning the web: Ultimate guide to the web cache poisoning
4 months 3 weeks ago
文章讨论了Web缓存中毒攻击的概念及其潜在影响。通过分析常见漏洞、测试方法及防御措施,揭示了如何利用未正确处理的请求头或参数注入恶意内容,并介绍了检测工具如Param Miner和WCVS等。同时强调了正确配置缓存键的重要性以防止此类攻击。
Think Fast: How Auto-Complete Suggested Me Passwords That Weren’t Mine ᾒf
4 months 3 weeks ago
作者通过工具发现一个配置错误的表单和GraphQL端点,导致浏览器泄露其他用户的密码。
Think Fast: How Auto-Complete Suggested Me Passwords That Weren’t Mine ᾒf
4 months 3 weeks ago
作者通过工具组合进行大规模信息收集时发现一个配置错误的表单和GraphQL端点导致浏览器泄露其他用户密码。
Understanding CSRF and How to Prevent It in Your Application — Part 1
4 months 3 weeks ago
文章解释了跨站请求伪造(CSRF)攻击的工作原理:利用浏览器自动附带认证信息(如会话cookie)和服务器无法区分请求来源的特点,在用户不知情的情况下执行恶意操作(如银行转账)。
Open Sesame | Bugcrowd CTF 2025
4 months 3 weeks ago
文章描述了BlackHat Bugcrowd CTF 2025中的一个挑战,通过Cookie Manipulation技术获取管理员权限以访问特殊笔记中的flag。
Bypassing 403 & 401 Errors: All Hacker Techniques Revealed
4 months 3 weeks ago
文章介绍了如何绕过常见的403 Forbidden和401 Unauthorized错误,解释了这些错误的原因,并提供了通过改变HTTP方法等技巧来解决这些问题的方法。
CVE-2025-8790 | Portabilis i-Educar up to 2.9.0 API Endpoint /module/Api/pessoa ID improper authorization (EUVD-2025-24072)
4 months 3 weeks ago
A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been declared as critical. This vulnerability affects unknown code of the file /module/Api/pessoa of the component API Endpoint. The manipulation of the argument ID leads to improper authorization.
This vulnerability was named CVE-2025-8790. The attack can be initiated remotely. Furthermore, there is an exploit available.
The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com