As part of the time that my company offers for research, my good friend and talented hacker Alberto Illera (@algillera) and me decided to “checkout” LastPass. Many of you may already know (or even use) LastPass. It is a pretty well known password manager that stores all your passwords in a “vault” and keeps them secure. …
Google and usernames, emails and URLs harvesting
Google Apps for business is a set of Google services for companies including email, online storage, calendars, etc. This allows companies to avoid the hassle of having to manage all these services in house and simply outsource it. One of those services is email. A company can have their personal email domain but still working under the …
Profile pictures, metadata and privacy
Yet another day night that curiosity and free time lead me to open burp and start lurking around. This time I will talk about my findings in another of those apps that makes commuting easier which name I agreed not to disclose. It did not take long to find an interesting JSON response containing (among other things):
Flywheel, Free rides and credit cards
After looking at Lyft, it was turn to check out Flywheel. Flywheel is yet another app to help you find cabs just as Uber does. During my pentest I found several serious security problems. Ride and get paid! Yep, just like it sounds. Flywheel lets you set a default tip that will be added to …
Lyft, fuzzing and Denial of Service attacks
As a regular user of apps like Lyft, Uber, Flywheel and anything that makes commuting more convenient, curiosity and free time lead me to open Burp and start lurking. Validating coupons Lyft offers the option to enter coupons to get credit for rides. A way to attract new customers and retain current ones. The request …