We don’t have a Ferrari, but we had their database credentials

Have you ever wondered what it feels like to own a Ferrari? We did. Not the car itself, but access to their database credentials.

Following Ferrari Responsible Disclosure Program1 Char49 discovered a vulnerability on the media.ferrari.com subdomain. The vulnerability affected a popular Wordpres...

Misconfiguration in a bottle: Symfony Profiler exposed

Char49 recently discovered a security misconfiguration on a subdomain of an American multinational corporation (Top50 on the Fortune500) website: an exposed Symfony web framework debug endpoint leaking sensitive information.

In a nutshell, exposing Symfony Profile or any other web framework debug...

Flash XSS on typewrite_header.swf

Our lab found a interesting XSS on a .swf file that we later discover was mainly used on phishing websites.

Source code of typewrite_header.swf:

//----------------------------------------------------------------------
//Frame 3
//------------------------------------------------------------------...