I recently found a flaw in the lockout mechanism Twitter has in place to protect accounts from unauthorized access. This flaw resulted in a complete bypass of the verification page which is presented to users if their account is locked. An attacker would’ve required previous knowledge of the victim’s account password to exploit this issue. Twitter usually […]Read more "Bypassing Twitter’s account lockout protection"
Tumblr went through a massive data breach sometime in 2013. This breach resulted in 65 million emails and hashed passwords of the site’s users being stolen and dumped online. The dumped password hashes were salted, but no actual salts were supplied with the data, meaning that they were useless to password cracking enthusiasts and others trying to recover plain-text passwords. The issue I’m writing […]Read more "Bypassing forced password reset on locked Tumblr accounts"
The 2014 Snapchat leak was a huge blow to the privacy of the app’s users. The leaked data contains over 4 million usernames along with their partially censored phone numbers. The leak was first available on SnapchatDB.info, but the download was taken offline shortly after. Retrieving the last two digits Head over to the forgot password page on Facebook (or Twitter) and enter […]Read more "Extracting full phone numbers from the leaked Snapchat database"