Three chained flaws in a crypto exchange's Android app gave full account access from a single tap.
Mar 2, 2026No-auth endpoint generated support tokens for any user. Read conversations, download KYC docs, send messages as victim.
Mar 2, 2026A wallet's deep link handler accepted any URL and loaded it inside the privileged in-app browser, where the signing bridge gave attacker pages full access to wallet address, message signing, and typed data signing.
Feb 27, 2026Flawed domain check allowed attacker URL in WebView. Session token stolen in under 2 seconds, valid for 7 months.
Feb 26, 2026RSA-2048 key extracted from a .so file in 5 seconds. Forged push notifications to any wallet user.
Feb 26, 2026A wallet provider's GraphQL endpoint allowed any anonymous caller to read user emails, 250K IP-to-wallet mappings, 80K push tokens, and private support messages, deanonymizing blockchain users at scale.
Feb 26, 2026Signing secret in APK enabled forged support tokens. KYC docs, IP addresses, and risk scores exposed for any user.
Feb 25, 2026A bridge gateway smart contract refunded relayer gas using a flat 16-gas-per-byte estimator, overpaying on every call and amplifiable by appending zero-byte padding to drain ETH from the gateway balance.
Feb 24, 2026Domain allowlist used substring matching. Attacker domain passed the check, WebView leaked session tokens.
Feb 24, 2026Timing flaw in login verification bypassed email check entirely. Full recovery phrase and private key extracted in 60 seconds.
Feb 23, 2026