Compromising OpenDrive’s Cloud Storage Accounts – Or How Not to Design Session Management

While recently comparing cloud storage solutions, I was surprised to learn there are still companies offering unlimited storage plans. OpenDrive is one such company — not to be confused with the OpenDRIVE format specification — offering unlimited options for personal, business, and enterprise customers. In addition to traditional cloud storage, they also offer backup and content …

Persistent XSS in PNC’s Secure Email System

PNC is a large financial services company with operations in both consumer and corporate sectors, predominantly located in the eastern and central United States. While making some account changes with them a few months ago, I had to exchange numerous sensitive documents with various employees within the organization. While most of the process was pretty …

Bright City: A Highly Insecure Police and Municipal Government App

Earlier this year I received a Nextdoor message from my County Police Department announcing a “Property LockBox App” they’d released (purchased) for citizens. There was no previous communication regarding this app that I could find, so I was interested in learning more about it. As the app description states, Bright City is “[a] 2-way, dedicated mobile application for cities …

XSS over SMS: Hacking Text Messages in Verizon Messages

Verizon Messages (Message+) is a group of software clients available for mobile, desktop, and web aimed at enhancing/unifying the VZW text messaging experience across multiple devices. While it has a few additional features outside of SMS, I was most interested in activating it for its web app client when at a desktop/laptop. After I installed the Android app and …

Rave Panic Button: Vulnerabilities in a Nationwide Emergency Alert System

A few months ago an article in the local news covering the launch of the Rave Panic Button caught my attention. I hadn’t heard of it before but the idea seemed interesting: efficiently coordinate emergency 9-1-1 notifications across multiple involved parties, i.e. emergency dispatch, on-site employees, and first responders. The system can also share important data about an affected location such as floor plans, emergency contacts, and even surveillance …

Persistent XSS in Verizon’s Webmail Client

I’ve previously written about a server-side vulnerability in Verizon’s webmail client, but I thought it was also worth covering a couple of interesting client-side vulns I discovered that would’ve allowed an attacker to compromise a victim’s entire email account. I started by attempting to identify the allowed HTML elements/attributes in the webmail client. Although there’s probably a better way to …