Comprehensive analysis of cookie tossing and three impactful attacks it enables, each either novel or previously poorly documented. Based on vulnerabilities identified in Swisscom, Project Jupyter, and Perplexity AI.

Discovering Logic Vulnerabilities in Swisscom's End-to-End Encrypted Cloud Storage

Thomas Houhou

Deep dive into two logic vulnerabilities discovered and reported through Swisscom's Bug Bounty Program. These affected MyCloud Safe, Swisscom's end-to-end encrypted cloud storage solution. This post concludes with some thoughts about finding more complex vulnerabilities.

New!

March 10, 2024

Securing the Computer Security Course: Discovering a Session Hijacking Vulnerability in EPFL's COM-301 Website

Thomas Houhou

Story and details about a session-related vulnerability found in EPFL's COM-301 homework submission and grading website, which eventually allowed any student to take over another student's account.

Get notified of new posts!

Feel free to sign-up right below to receive an email every time a new post is published :)

Cookie Tossing: Self-XSS Exploitation, Multi-Step Process Hijacking, and Targeted Action Poisoning

Discovering Logic Vulnerabilities in Swisscom's End-to-End Encrypted Cloud Storage

Securing the Computer Security Course: Discovering a Session Hijacking Vulnerability in EPFL's COM-301 Website

Get notified of new posts!