Cookie Tossing: Self-XSS Exploitation, Multi-Step Process Hijacking, and Targeted Action Poisoning
JULY 15, 2024

Cookie Tossing: Self-XSS Exploitation, Multi-Step Process Hijacking, and Targeted Action Poisoning

Comprehensive analysis of cookie tossing and three impactful attacks it enables, each either novel or previously poorly documented. Based on vulnerabilities identified in Swisscom, Project Jupyter, and Perplexity AI.

Discovering Logic Vulnerabilities in Swisscom's End-to-End Encrypted Cloud Storage
APRIL 08, 2024

Discovering Logic Vulnerabilities in Swisscom's End-to-End Encrypted Cloud Storage

Deep dive into two logic vulnerabilities discovered and reported through Swisscom's Bug Bounty Program. These affected MyCloud Safe, Swisscom's end-to-end encrypted cloud storage solution. This post concludes with some thoughts about finding more complex vulnerabilities.

Securing the Computer Security Course: Session Hijacking in EPFL's COM-301 Homework App
MARCH 10, 2024

Securing the Computer Security Course: Session Hijacking in EPFL's COM-301 Homework App

Story and details about a session-related vulnerability found in EPFL's COM-301 homework submission and grading website, which eventually allowed any student to take over another student's account.