Blog Category - Security Research

Security Research

Protect your Spring based applications from this critical RCE vulnerability (CVE-2022-22965)

The Spring MVC and WebFlux are Java frameworks used to build web applications. It follows the Model-View-Controller design pattern. It implements all the basic features of a core spring framework like Inversion of Control and Dependency Injection. When these frameworks are deployed to Apache Tomcat, the WebAppClassLoader class is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk and invoke any server endpoint with a malicious payload to execute malicious JSP code on the vulnerable server. The vulnerability can be exploited to allow unauthorized remote code execution on the affected servers.

Anand Prakash

April 1, 2022

Security Research

Protect your Spring cloud functions from this critical RCE vulnerability (CVE-2022-22963)

Spring Cloud is an open-source microservice framework. Spring Cloud is a collection of functions useful in building distributed enterprise applications. The vulnerability can be exploited to allow unauthorized remote code execution on the affected servers. Hackers are still utilizing the recently discovered exploit to attack the servers. The exploit lets an attacker execute malicious Java code on the vulnerable server.

Anand Prakash

April 1, 2022

Security Research

Hacking Tinder accounts using Facebook’s Account Kit

This post is about an account takeover vulnerability we discovered in Tinder’s application. By exploiting this, an attacker could have gained access to the victim’s Tinder account, who must have used their phone number to log in.

Anand Prakash

January 30, 2022

Security Research

Hacking any Uber account

This post is about an account takeover vulnerability on Uber which allowed attackers to take over any other user’s Uber account (including riders, partners, eats) account by supplying user UUID in the API request and using the leaked token in the API response to hijack accounts. We were able to enumerate any other Uber’s user UUID by supplying their phone number or email address in another API request.

Anand Prakash

January 30, 2022

Security Research

How we discovered Uber’s developer applications were leaking client secret and server tokens

This post is about an information leakage vulnerability on riders.uber.com in which we identified an public API endpoint of https://riders.uber.com/profile that could send back server tokens and client secret for applications authorized by the account owner to access their Uber account.

Anand Prakash

January 18, 2022

Security Research

Hacking any Facebook account

This post is about a simple vulnerability I discovered on Facebook which I could have used to hack into other users’ Facebook accounts easily and without any user interaction.

Anand Prakash

January 30, 2022

Security Research

How this new zero day RCE vulnerability in Log4j Java library is setting the Internet on fire (CVE-2021-44228)

Java logging framework Log4j is used to generate logs and record the activity inside an application. The vulnerability can be exploited to allow unauthorised remote code execution on the affected servers. PingSafe can detect the Log4j vulnerability on your infrastructure without having an agent in your environment.

Anand Prakash

January 18, 2022

Security Research

How we could have listened to anyone's call recordings.

The vulnerability allowed any malicious actor to listen to any user's call recording from the cloud storage bucket of the application and an unauthenticated API endpoint which leaked the cloud storage URL of the victim's data.

Anand Prakash

January 18, 2022

Security Research

How we could have tracked anyone's live location using Truecaller's "Guardians" app

It was possible for an attacker to login into a victim's "Guardians" account by just using their phone number. Once the attacker has successfully logged in, they can track all your family member's locations. The application also leaked the victim's account details such as date of birth, profile picture, and emergency contact details. It also allowed an attacker to add more family members to the account once the account is taken over. Truecaller was quick in fixing the reported vulnerability within few hours.

Anand Prakash

January 18, 2022