Reports

106 published reports Critical and High severity All targets anonymized
high Admin endpoints public

Unauthenticated Operator API Exposes OTP Dispatcher, Data Exports, and Admin Login

A national mobile carrier's customer-facing host exposed an internal operator backend whose security filter chain failed to cover the OTP SMS dispatcher, six data export controllers, and three administrator login endpoints, all reachable unauthenticated from the internet.

Apr 25, 2026
WebAuthenticationData Exposure
critical Substring allowlist bypass

Authentication Bypass in In-App Browser Domain Validator, One-Tap Session-Token Theft and Full Account Takeover

A retail trading broker's Android app validated in-app browser URLs with a substring check, letting any URL that contained the brand domain pass. One tap on a feed link injected the user's session tokens into the attacker's origin and enabled full account takeover.

Apr 24, 2026
AndroidWebViewToken Theft
critical SSO session hijack

Deep-Link ATO in Smart-Home Companion App, Identity Provider Session Hijack on Connected Web Properties

An exported activity in a robot vacuum companion app deserialized an attacker-supplied destination, loaded an attacker URL inside a privileged WebView, and leaked an identity-provider auth code that hijacked the victim's session on connected web properties.

Apr 22, 2026
AndroidDeep LinksAccount Takeover
critical One-tap session JWT theft

Deep Link URL Injection Loads Attacker Page in Bridge WebView, Full Account Takeover

A single-tap deep link on a regulated digital-asset exchange's Android app loaded an attacker page inside a privileged JS bridge, exfiltrating the live session JWT and authenticating the full trading API.

Apr 18, 2026
AndroidDeep LinksJS Bridge
high In-app credential capture

Carrier App AutoVerify + WebView Deep Link Credential Phishing

A national mobile carrier's Android app combined a hardcoded deep link service key, an autoVerify domain handoff, and a custom-scheme WebView with no host check, enabling in-app credential phishing under the carrier's own verified domain.

Apr 17, 2026
AndroidDeep LinksPhishing
high One-tap permit drain

Exchange App DApp Browser Deep Link to One-Tap Permit Drain

A missing host check on a centralized crypto exchange's Android DApp deep link, combined with a stale on-device safety whitelist, enabled a one-tap unlimited ERC-20 permit signature capture and wallet drain.

Apr 17, 2026
AndroidDeep LinksWallet
high Persistent first-party XSS

Presigned Upload Content-Type Bypass to Stored XSS on First-Party CDN

An attacker-controlled Content-Type field on a presigned upload mutation enabled stored XSS served from a creator/link-in-bio platform's first-party user-generated-content CDN with valid TLS.

Apr 17, 2026
WebXSSGraphQL
high Stranger's gift card in 18s

GraphQL Gift Card PIN Enumeration with No Rate Limiting

A missing rate limit on a GraphQL gift card redemption mutation, combined with sequential PIN issuance, enabled enumeration and instant theft of other customers' gift cards on a fashion e-commerce platform.

Apr 16, 2026
GraphQLBusiness Logic
critical TLS private key recoverable

Hardcoded AES Key + Firebase Config Leak Production TLS Private Key

A hardcoded AES key in a geolocation compliance app, combined with an unauthenticated Firebase Remote Config endpoint, exposed the production RSA private key for the SDK's TLS server.

Apr 14, 2026
AndroidHardcoded SecretsCryptography
critical Permanent API access

Silent API Key Exfiltration via Exposed Deep Link and WebView Bridge in Android Wallet

One tap on a crafted link silently leaked the wallet app's backend API signing key via an unfiltered WebView bridge. Persistent authenticated access to wallet data across 14 chains.

Apr 10, 2026
AndroidDeep LinksJS Bridge