Some of you are probably wondering, WHAT ON EARTH IS IDOR? IDOR, or insecure direct object reference, is a common vulnerability that is sometimes misunderstood by even some of the most seasoned security professional. The basic concept is that a user-controlled parameter is used to directly reference and access a resource, but the application does…Continue reading Staples Canada – The IDOR that just kept giving
With a heavy push for native mobile apps in the last 10 years, there has been a large corresponding growth in the mobile appsec space. With the OWASP Mobile Top 10, which was initially released in 2014 and updated in 2016, many organizations have a framework to use to properly secure their APIs and mobile…Continue reading Bell Smart Home – The importance of proper mobile testing
Following a legal threat from █████, Proack has decided to remove their name from this article. While we worked in good faith to responsibly disclose the vulnerabilities discussed below, and held the release of this article until fixes were implemented, █████ still decided to threaten us with legal action if we publicized the vulnerabilities we…Continue reading Account Hijacking – IoT edition
In March 2020, our team started a couple of security research projects including participating in bug bounty programs, looking at IoT devices, and passively looking at mobile apps that have weak authentication and authorization controls. We came across one app called Remind, which is used by one of our team members to interact with their…Continue reading Insecure use of unique identifiers
* Updated October 13, 2020 In 2019, we were asked by some of our clients to perform an insider threat assessment to help them better understand their attack surface if a single system on their network were to be compromised. This is not a typical penetration test because we were given an asset, knowledge of…Continue reading FireEye HX Bypass – Have you tested your security tools lately?