Skip to content
  • Twitter
  • LinkedIn
  • GitHub
  • SlideShare
  • YouTube
  • Email
  • Spotify
  • RSS
  • Presentations
  • Tools
  • Podcast
  • Press
  • About me

Martin Vigo

Personal hacking projects, writeups and tools
38 Comments
September 18, 2014

A look into LastPass

As part of the time that my company offers for research, my good friend and talented hacker Alberto Illera (@algillera) and me decided to “checkout” LastPass. Many of you may already know (or even use) LastPass. It is a pretty well known password manager that stores all your passwords in a “vault” and keeps them secure. …

Read more

by Martin Vigo

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
3 Comments
June 15, 2014

Google and usernames, emails and URLs harvesting

Google Apps for business is a set of Google services for companies including email, online storage, calendars, etc. This allows companies to avoid the hassle of having to manage all these services in house and simply outsource it. One of those services is email. A company can have their personal email domain but still working under the …

Read more

by Martin Vigo

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
No Comments
May 20, 2014

Profile pictures, metadata and privacy

Yet another day night that curiosity and free time lead me to open burp and start lurking around. This time I will talk about my findings in another of those apps that makes commuting easier which name I agreed not to disclose. It did not take long to find an interesting JSON response containing (among other things):

Read more

by Martin Vigo

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
2 Comments
May 17, 2014

Flywheel, Free rides and credit cards

After looking at Lyft, it was turn to check out Flywheel. Flywheel is yet another app to help you find cabs just as Uber does. During my pentest I found several serious security problems. Ride and get paid! Yep, just like it sounds. Flywheel lets you set a default tip that will be added to …

Read more

by Martin Vigo

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
2 Comments
April 19, 2014

Lyft, fuzzing and Denial of Service attacks

As a regular user of apps like Lyft, Uber, Flywheel and anything that makes commuting more convenient, curiosity and free time lead me to open Burp and start lurking. Validating coupons Lyft offers the option to enter coupons to get credit for rides. A way to attract new customers and retain current ones. The request …

Read more

by Martin Vigo

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
Posts navigation
Newer posts

Recent Posts

  • Phonerator – An advanced valid phone number generator
  • From email to phone number, a new OSINT approach
  • GoogleMeetRoulette: Joining random meetings
  • Ransombile: Yet another reason to ditch SMS
  • Compromising online accounts by cracking voicemail systems

Bug bounties

Lastpass Synack Uber Flywheel Lyft Apple Sidecar United Venmo Google Netflix Ebay Twilio Yahoo

Conferences

IntelCon Roadsec Recon Village @ DEF CON HackCon IT-Defense 35C3 DEF CON 26 BSidesLV Wizeline Dreamforce 17 SAS2017 Ekoparty 12 Blackhat EU Shakacon Dreamforce 15 Dreamforce 14 Silicon Valley Codecamp 2014