Image 1 Trust Sign

Cursor’s Magic Comes with a Catch: The Trust Setting You’re Missing

Occasionally, a new AI tool emerges unexpectedly and dominates the conversation on social media. This time, that tool is Cursor, an AI coding platform that’s making waves for simplifying app development with advanced models like Claude 3.5 Sonnet and GPT-4o. In a recent video posted on X, which has already garnered over ... Read More
Figure 1 Code 1

Lessons Learned From Exposing Unusual XSS Vulnerabilities

Misunderstood browser APIs are often at the core of many web security issues. With the rapid expansion of web APIs, keeping up with security best practices can be challenging. In this post, we’ll explore a few common mistakes developers make that lead to modern XSS (Cross-Site Scripting) vulnerabilities. These insights ... Read More
Vectors of approach

From ChatBot To SpyBot: ChatGPT Post Exploitation

In the second installment of our blog post series on ChatGPT, we delve deeper into the security implications that come with the integration of AI into our daily routines. Building on the discoveries shared in our initial post, “XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT,” where we uncovered ... Read More
XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT

XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT

With its widespread use among businesses and individual users, ChatGPT is a prime target for attackers looking to access sensitive information. In this blog post, I’ll walk you through my discovery of two cross-site scripting (XSS) vulnerabilities in ChatGPT and a few other vulnerabilities. When chained together, these could lead ... Read More
Hacking Microsoft and Wix with Keyboard Shortcuts

Hacking Microsoft and Wix with Keyboard Shortcuts

Browser vendors continuously tweak and refine browser functionalities to improve security. Implementing same-site cookies is a prime example of vendors’ efforts to mitigate Cross-Site Request Forgery (CSRF) attacks. However, not all security measures are foolproof. In their quest to combat Cross-Site Scripting (XSS), browser vendors introduced features that, while well-intentioned, ... Read More
CVE-2023-22524: RCE Vulnerability in Atlassian Companion for macOS

CVE-2023-22524: RCE Vulnerability in Atlassian Companion for macOS

TL;DR This blog unveils a remote code execution vulnerability, identified as CVE-2023-22524, in Atlassian Companion for macOS, which has recently been patched. This critical vulnerability stemmed from an ability to bypass both the app’s blocklist and macOS Gatekeeper, potentially allowing the execution of harmful code. Users are advised to upgrade ... Read More
Navigating the Sea, Exploiting DigitalOcean APIs

Navigating the Sea, Exploiting DigitalOcean APIs

Cloud service providers are now fundamental elements of internet infrastructure, granting organizations and individuals the ability to scale and efficiently store, manage, and process data. DigitalOcean is one such provider, well-regarded for its simplicity and developer-friendly platform, and often catering to small to medium-sized businesses and individual developers. With increasing ... Read More
Scam Trail

Unraveling an AI Scam with AI

The last year has seen an unprecedented surge in the use of Artificial Intelligence (AI) and its deployment across a variety of industries and sectors. Unfortunately, this revolutionary technology has not just captivated the good actors– the darker corners of the internet are awash with bad actors exploiting the buzz ... Read More
Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information

Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information

TL;DR The Imperva Red Team discovered a vulnerability in TikTok, a popular social media platform with more than one billion users worldwide, that could allow attackers to monitor users’ activity on both mobile and desktop devices. This vulnerability, which has now been fixed, was caused by a window message event ... Read More
Deanonymizing OpenSea NFT Owners via Cross-Site Search Vulnerability

Deanonymizing OpenSea NFT Owners via Cross-Site Search Vulnerability

TLDR Recently, a cross-site search vulnerability was discovered affecting the popular NFT marketplace OpenSea. When successfully exploited, this issue allows for the deanonymization of OpenSea users by linking an IP address, a browser session, or an email in certain conditions to a specific non-fungible token (NFT) and, therefore, a wallet ... Read More