Wawa Rewards Gift Card Takeover Vulnerability

Wawa stores are a favorite among customers in Pennsylvania, New Jersey, Delaware, and beyond. When the company recently announced a new Android app to launch with their rewards program, I was interested in installing it and researching how it worked. Soon after registering and associating a gift card to my account, I discovered a serious vulnerability that would allow an …

How I Cracked Trivia Crack

Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It’s the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I’ve never been very interested in gaming, my wife has recently become a huge fan …

Visa and Other Gift Card Transactions Exposed by GoWallet Vulnerability

I recently received a Visa Gift Card and decided to use GoWallet to manage it, as advertised on the card’s packaging. GoWallet offers the ability to manage most types of gift cards, allowing a user to view their card’s current balance and past transactions. I signed up on their website and associated the card to my account. …

Delmarva Power (Pepco) Account Takeover Vulnerability

I’ve been a long time customer of Delmarva Power, but only recently learned they had an Android App. I decided to install it and see how it worked behind the scenes. I quickly realized their API suffered from multiple IDORs, allowing an attacker to a completely takeover any user’s account. As usual, I monitored the requests in the App by …

Marriott Hotel Reservations and Payment Information Compromised by Web Service Vulnerability

Marriott has been been in the news lately regarding its stance on blocking customer WiFi communications in their conference centers. As a customer of Marriott, I questioned how well they “blocked” access to my sensitive information in their system. Being that the security of web services is notoriously neglected, I figured their Marriott International Android app would be …

Privacy Vulnerability in Vivino Wine App

Vivino is one of the top wine apps out there, featuring the ability to get tons of information about a specific wine by taking a photo of the label. In my experience, it works well and can be very useful for the wine enthusiast. After some use of the app, I became interested in how it worked and …

Multiple Vulnerabilities in CBS Sports’ Bracket Manager

Every year during March Madness, my company’s landlord runs a bracket challenge, in which all tenants are free to join and submit their picks. They offer some prizes to the top bracket submissions, using CBS Sports’ March Madness bracket manager to manage the submissions and calculate the winners. I don’t know a lot about basketball, …