Google and usernames, emails and URLs harvesting

Google Apps for business is a set of Google services for companies including email,

Non existing email
Non existing email

online storage, calendars, etc. This allows companies to avoid the hassle of having to manage all these services in house and simply outsource it. One of those services is email. A company can have their personal email domain but still working under the gmail platform.

Valid emails
Valid emails

I realized that when I enter a valid email address from a company using Google Apps, the response code is 302 with the location header containing an internal url. As you may know, 302 is used to indicate

the browser that the resource is in a different place, specifically where the location header points to. Read more

Flywheel, Free rides and credit cards

After looking at Lyft, it was turn to check out Flywheel. Flywheel is yet another app to help you find cabs just as Uber does. During my pentest I found several serious security problems.

Ride and get paid!

Yep, just like it sounds. Flywheel lets you set a default tip that will be added to the total cost so you don’t have to bother about tipping the driver. The app gives you several options (15%, 20%, 25%). When we set a tip, the request looks like this: Read more

Lyft, fuzzing and Denial of Service attacks

As a regular user of apps like Lyft, Uber, Flywheel and anything that makes commuting more convenient, curiosity and free time lead me to open Burp and start lurking.

Validating coupons

Lyft offers the option to enter coupons to get credit for rides. A way to attract new customers and retain current ones. The request to validate such coupons looks like this: Read more