Clickjacking in Firefox Hello

Clickjacking, the art of tricking users into clicking on links or buttons that no sane person would ever click on. But how much damage can you do by stealing a few clicks? We are in 2015, we might think that this kind of vulnerabilities would have been solved by now. But that’s not the case. Firefox Hello Recently Mozilla launched Firefox Hello, their free service for video and voice conversations online. After a few tests, I noticed that hello.firefox.com website does not prevent framing. I also noticed that to invite...

تابع القراءة ←

HACKERONE USERNAME CHANGE EXPLOIT |SOCIAL ENGINEERING|

in this write up I will be explaining the exploit method that I used to perform an unauthorized username change on any Hackerone account. It was an internal system flaw without any email verification which allowed me to carry out the successful attack. As we all know that Hackerone is one of them best and most controversial Managed bug bounty program website on the internet. And everyday researchers from all around the world test their custom exploit on the corporate applications that are sponsored by Vendors and companies. Does...

تابع القراءة ←

Account Takeover Using Password Reset Vulnerability

Account Takeover Using Password Reset Functionality --------------------------------------- While researching and working on bug bounties I have found that by using Password Reset Functionality, Token & Link we can Takeover all the users account of a website if that site is vulnerable to this type of attack. Using this vulnerability the attacker can modify the email md5 hash to any victims email md5 hash to change their password and in this way he can also reset all passwords of all the accounts and can successfully compromise the victims account as the password reset link sent to...

تابع القراءة ←