@ access_token=eyJhbG... postMessage(token, origin) redirect_uri=https:// mode=hidden
Featured

How a Single @ Symbol Turned Into a 1-Click Account Takeover

I stole OAuth access tokens from any authenticated user of a major productivity platform. One click. No consent prompt. The entire exploit hinged on a single character.

8 min read
naaash

naaash

Security Researcher
@ access_token= postMessage() redirect_uri
OAuth 1-Click ATO

How a Single @ Symbol Turned Into a 1-Click Account Takeover

OAuth redirect_uri bypass via RFC 3986 userinfo component leads to silent token theft via postMessage.

8 min read
$ $ $ $ $ $ $ $ $ $ $ $ $50,000
Adobe Bug Bounty

Making Almost $50,000 In Bounties From The Adobe VIP Program

How we found LFI, stored XSS chains, and full account takeover in Adobe Workfront.

12 min read
user_id=1337 user_id=1338
TikTok IDOR

A Tale of Confusing IDOR

An IDOR hunt that took some unexpected turns. Sometimes the simplest bugs are the hardest to pin down.

6 min read