A missing role check on an electric scooter rental app's fleet management endpoints let any rider read every active rental, vehicle, and zone configuration across all operating markets, enabling real-time tracking of any user.
Mar 10, 2026Two compounding flaws in a national postal carrier's transit warranty workflow let any anonymous internet user create real cases in the production support system against any tracking number, with no account or authentication required.
Mar 8, 2026Unvalidated deep link parameter loaded attacker page with full transaction signing bridge access.
Mar 5, 2026API key in APK granted access to police check verification. Full name, DOB, address, criminal history downloadable.
Mar 5, 2026An exchange Android app validated its custom-scheme deep link against a domain allowlist but skipped that check on the intent URI path, letting any attacker page load in the WebView and read the auth token through the unrestricted JS bridge.
Mar 5, 2026Unauthenticated database function returned invoices from other organizations including payment links.
Mar 5, 2026Deterministic encryption + exported activity. Forged push notification steals session tokens without any user interaction.
Mar 4, 2026A self-custody mobile wallet's browse deep link accepted any URL and loaded it inside the in-app dApp browser, where the signing bridge was injected into all origins, enabling a two-tap drain of any user via a phishing link.
Mar 4, 2026SDK key from APK created unlimited verified deep links. Chained with unfiltered WebView for in-app credential theft.
Mar 4, 2026A centralized exchange's Android deep link handler loaded any attacker URL inside the real app shell with the native JavaScript bridge attached, enabling one-tap credential phishing with no malicious app install needed.
Mar 4, 2026