A look into LastPass

As part of the time that my company offers for research, my good friend and talented hacker Alberto Illera (@algillera) and me decided to “checkout” LastPass. Many of you may already know (or even use) LastPass. It is a pretty well known password manager that stores all your passwords in a “vault” and keeps them secure. …

Read more

Google and usernames, emails and URLs harvesting

Google Apps for business is a set of Google services for companies including email, online storage, calendars, etc. This allows companies to avoid the hassle of having to manage all these services in house and simply outsource it. One of those services is email. A company can have their personal email domain but still working under the …

Read more

Flywheel, Free rides and credit cards

After looking at Lyft, it was turn to check out Flywheel. Flywheel is yet another app to help you find cabs just as Uber does. During my pentest I found several serious security problems. Ride and get paid! Yep, just like it sounds. Flywheel lets you set a default tip that will be added to …

Read more

Lyft, fuzzing and Denial of Service attacks

As a regular user of apps like Lyft, Uber, Flywheel and anything that makes commuting more convenient, curiosity and free time lead me to open Burp and start lurking. Validating coupons Lyft offers the option to enter coupons to get credit for rides. A way to attract new customers and retain current ones. The request …

Read more