Reports

106 published reports Critical and High severity All targets anonymized
critical One-tap session theft

Exported Home Activity Cookie Injection to Session Token Theft

An exported Android launcher activity, an attacker-controlled deep link extra, and an unguarded cookie write enabled one-tap session token theft on a major US department store retailer's app.

Apr 9, 2026
AndroidDeep LinksToken Theft
high In-app phishing chain

Carrier App Open Redirect + Exposed Deep Link Key Enables In-App Phishing

A hardcoded deep link service key, an unvalidated WebView article handler, and an unauthenticated open redirect on a national mobile carrier's own domain combined to render attacker-controlled login pages inside the official app's chrome with no URL bar.

Apr 9, 2026
AndroidDeep LinksPhishing
critical Zero-click session theft

Stored XSS via SVG Upload on Bug Bounty Platform, Zero-Click Session Theft

A server that accepted SVG uploads via its API despite its own UI rejecting them allowed a JavaScript-bearing SVG to be embedded in any report description and silently exfiltrate session data from every viewer, including triage and program managers.

Apr 7, 2026
WebXSSToken Theft
high Permanent fund loss

uint64 Overflow in Cross-Chain Bridge Silently Destroys Solana Withdrawals

An unsafe downcast silently truncated withdrawal amounts. Any user withdrawing more than ~18 tokens would permanently lose most of their funds with no revert and no recovery path.

Apr 3, 2026
Smart ContractSolidityDeFi
critical Cloud credential theft

File Upload SSRF Exfiltrates Live AWS Credentials from Retail SaaS Production

A digital file upload endpoint fetched any attacker URL server-side and stored the response. Live AWS temporary credentials pulled from production EC2.

Apr 1, 2026
WebSSRFCloud
critical Mass account lockout

Hardcoded API Key in Smart Home App, Account Creation, S3 Takeover, and Mass Lockout

A hardcoded API key inside a smart home camera platform's Android app unlocked unauthenticated account creation, full read-write-delete access to a production storage bucket, mass account lockout, and password-reset email triggering against the entire customer base.

Mar 31, 2026
AndroidHardcoded SecretsCloud
high One-click ride booking

Ride-Hailing App Deep Link SSRF to One-Click Ride Booking

A deep link handler in a ride-hailing Android app accepted attacker-controlled JSON, bypassed its own host allowlist using relative paths, and let any link click book a real ride against the victim's authenticated account.

Mar 31, 2026
AndroidDeep LinksSSRF
critical 30-day token theft

Exported Activity + JS Bridge to 30-Day API Token Theft on Crypto Exchange Android

An exported activity, a data: URI validation bypass, and a JavaScript bridge with no origin check let any zero-permission co-installed app silently steal a 30-day session token from a centralized cryptocurrency exchange's Android app.

Mar 30, 2026
AndroidJS BridgeToken Theft
critical Token leaked to 3rd party

Crypto Exchange Android App Leaks 30-Day Session Token to Third-Party Chart Provider

A missing domain check in a centralized cryptocurrency exchange's Android WebView wrapper sent the user's full 30-day session token as an HTTP header to a third-party charting domain on every meme coin chart view.

Mar 30, 2026
AndroidWebViewToken Theft
critical Zero-interaction ATO

Exported Activity + WebView Token Theft to Full Account Takeover

Zero-permission co-installed app silently steals session token in under 5 seconds. Trading, PII, and withdrawal address injection confirmed.

Mar 27, 2026
AndroidExported ComponentToken Theft