JULY 15, 2024
Cookie Tossing: Self-XSS Exploitation, Multi-Step Process Hijacking, and Targeted Action Poisoning
Comprehensive analysis of cookie tossing and three impactful attacks it enables, each either novel or previously poorly documented. Based on vulnerabilities identified in Swisscom, Project Jupyter, and Perplexity AI.
APRIL 08, 2024
Discovering Logic Vulnerabilities in Swisscom's End-to-End Encrypted Cloud Storage
Deep dive into two logic vulnerabilities discovered and reported through Swisscom's Bug Bounty Program. These affected MyCloud Safe, Swisscom's end-to-end encrypted cloud storage solution. This post concludes with some thoughts about finding more complex vulnerabilities.
MARCH 10, 2024
Securing the Computer Security Course: Session Hijacking in EPFL's COM-301 Homework App
Story and details about a session-related vulnerability found in EPFL's COM-301 homework submission and grading website, which eventually allowed any student to take over another student's account.