• VayFul®
  • Posts
  • AppSec Monday: RedTeaming, Mobile Apps Hacking, GraphQL Security, SAML Signature Bypass, Phone number OTP flaw leads ATO, CSPBypass Tool, Lamborghini Carjackers Lured by $243M Cyberheist

AppSec Monday: RedTeaming, Mobile Apps Hacking, GraphQL Security, SAML Signature Bypass, Phone number OTP flaw leads ATO, CSPBypass Tool, Lamborghini Carjackers Lured by $243M Cyberheist

Cybersecurity — For Security Professionals

Hey! James here.

Today’s edition is all about Application Security and offensive tactics:

  • 📝 SAML Signature verification bypass, Change phone number OTP flaw leads ATO, Red Teaming in the age of EDR.

  • 🔥 Password Pusher, CSPBypass, Lamborghini Carjackers Lured by $243M Cyberheist, Hackers targeted Android users by exploiting 0-day.

  • 🧠 Three Ways to Hack Mobile Apps, To 10 GraphQL security checks for developer, Security Best practices for production Apps.

  • And more…

First time reading? Sign up here.

📰 Top Security News

  • Lamborghini Carjackers Lured by $243M Cyberheist (Krebsonsecurity)

  • New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed (Forbes)

  • Hackers targeted Android users by exploiting zero-day bug in Qualcomm chips (Techcrunch)

📝 Best Of Blogs

  • SAML Signature verification bypass allows logging into any user (with specific conditions)  [25000$ Bounty] (HackerOne)

  • Change phone number OTP flaw leads to any phone number takeover  [2000$ Bounty] (HackerOne)

  • Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation (Fox-it)

🧠 Learning Resources

  • Three Ways to Hack Mobile Apps (John Hammond)

  • Top 10 GraphQL Security Checks for Every Developer (Akto)

  • Security Best Practices for Production Applications (GeeksforGeeks)

🛠️ Tools

  • CSP Bypass search - Search for existing CSP bypass gadgets that allow you to gain XSS.. (GitHub)

  • Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. (GitHub)

  • PasswordPusher: 🔐 Securely share sensitive information  with automatic expiration & deletion after a set number of views or duration. (GitHub)

⚡️ Misc

  • Google Online Security Blog: Using Chrome's accessibility APIs to find 

    security bugs (Google Blog)

  • The Role of Security and Authorization in DDD (Permit)

🎯 Favorite Quote

“You will face many defeats in life, but never let yourself be defeated.“
- Maya Angelou

💡 ABOUT VAYFUL®

Vayful® is a cybersecurity newsletter that curates the best cybersecurity news, research, tools, blogs, talks, tutorials, and learning resources — specially handpicked for security professionals. The content is curated with love by security professionals.

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here!

Did someone forward this email to you? Become a subscriber!

Have feedback or questions? Just hit reply and let us know.