An exported splash activity, a WebView with no domain allowlist, and a JS bridge that returned session tokens to any loaded page let any co-installed app on a centralized crypto exchange's Android client steal a 90-day session with zero user interaction.
Mar 26, 2026Mobile wallet stored and returned full card numbers and CVVs in cleartext. Zero tokenization architecture. Multiple PCI DSS violations.
Mar 26, 2026Unclaimed npm scopes in production bundles. Both orgs registered to prove exploitability. Single compromised build affects all brands.
Mar 23, 2026AES key from iOS binary decrypts 10 API secrets. Forged Apple Wallet loyalty passes for any customer.
Mar 21, 2026A drugstore chain's Android app inserted a deep link parameter unsanitized into a WebView URL, where a URL fragment bypassed the regex domain check and loaded an attacker page inside the official app, leaking the session token on first load.
Mar 21, 2026Unsandboxed plugin iframes had full native bridge access. Opening a shared board silently poisoned the clipboard, dropped files to storage, and opened attacker URLs in Chrome.
Mar 20, 2026A client-controlled reset URL on a cinema chain's loyalty platform was escalated by injecting an invisible image tag into the email template, leaking the real reset token the moment the victim opened the email.
Mar 17, 2026A leftover developer backdoor in a bundled session replay SDK let one link permanently redirect screen recordings to an attacker server, with masking disabled.
Mar 17, 2026Non-atomic refund API allowed gift card balance multiplication. Reproduced 4/4 on production.
Mar 16, 2026A forgotten plaintext example config in a beauty retailer's public cloud storage container exposed production OAuth credentials and a static CAPTCHA bypass header, granting full anonymous API access across three country sites.
Mar 16, 2026