During our research on the Segways’ domain space, we found a subdomain pointing to a third-party domain “pending for deletion” by its owner. Using a domain monitoring and backorder service, as soon as the third-party domain became available we got control over Segway’s subdomain.
According to responsible disclosure best practices, we provided Segway a detailed security advisory. This article is published after the security issue has been (silently) fixed by Segway.
Samsung devices, including flagship S7, S8 and S9, were all vulnerable to a severe flaw that allowed any application to factory reset the phone, steal sms messages and call logs, lock the phone with a custom pin and message, locate the user, in short, any action that Find My Mobile supports.
From my understanding based in what I see in the field, the majority of companies are not. Besides finance, insurance and big retail chains very few are already prepared, and some aren’t even achieving meaningful results to enable them to be compliant in May 25, not even the health or public sector...
What to do? Where to begin? How to do it? Now you can relax and sit down. Thanks to David Sopas you can organize all your work with an assessment mindset available for free at Github. He did it to help him on his all-around assessments (pentest, bug bounty, red-team) keeping the workflow organized a...
Next Tuesday, March 13 , 2018, at 5PM GMT you must attend a interesting @Checkmarx webinar by David Sopas. You can understand what Reflected File Download (RFD) is, view a live demonstration of an RFD attack and learn how you can protect your product from the dangers of RFDs. Discovered in 2014 by...
More and more apps are available in Google Play Store allowing to manage your invoices. Some apps are focused on small businesses in order to make quotes or invoices for clients, but other apps are also targeting individuals. For instance in Portugal, the government is encouraging people to ask for...
