My Security Research

TLDR; While fuzzing all Aura methods present on a specific target, I discovered that the built-in aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap, a default aura controller present in all Salesforce deployments, was vulnerable to an SOQL injection. After bypassing SOQL limitations I was able to extract sensitive user information an uploaded documents details, affecting thousands of deployments. A Pleasant Surprise Earlier this year, I was testing an application built on top of Salesforce and quite quickly realized that in addition to manual testing, I needed some way to fuzz the hundreds (if not thousands) of Aura controllers present in both the application and default to Salesforce....

In this blogpost I will go over a vulnerability I found in all major mobile browsers that allowed an attacker within Bluetooth range to take over PassKeys accounts by triggering FIDO:/ intents. TLDR An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device....

My Sec-T Presentation Hi there! This year I had the pleasure to attend and present at Sec-T for the very first time! It was overall a great conference with lots of cool hackers and presentations. I got to show off my research and findings in Swedish BankID along with some other insights in research I’ve been doing in other Cross-Device Authentication protocols. Here I attach the full sides: As well as the recording from Sec-T official’s YouTube channel:...

The Swedish BankID is a form of digital identification used by most if not all Swedish residents to authenticate to multiple services such as: internet providers, online banking services, betting websites and especially governmental websites. Living in Sweden myself, and with the hacker mentality always buzzing in my brain, I decided that it would be a very interesting field to do some security research in. In this post I will be presenting a new vulnerability I found present in most Swedish service providers due to an insecure implementation of BankID’s authentication protocol....

The purpose of this article is to show how to get RCE when a crafted malicious Tensorflow model is loaded. Remember all of this is for educational purposes only! Don’t be mean! Tensorflow Models are Programs This article is in no way reporting a vulnerability in the Tensorflow python module. As it can be read in the SECURITY section of the project, Tensorflow models should be treated as programs and thus from a security you should not load (run) untrusted models in your application....