Compromising OpenDrive’s Cloud Storage Accounts – Or How Not to Design Session Management

While recently comparing cloud storage solutions, I was surprised to learn there are still companies offering unlimited storage plans. OpenDrive is one such company — not to be confused with the OpenDRIVE format specification — offering unlimited options for personal, business, and enterprise customers. In addition to traditional cloud storage, they also offer backup and content …

Persistent XSS in PNC’s Secure Email System

PNC is a large financial services company with operations in both consumer and corporate sectors, predominantly located in the eastern and central United States. While making some account changes with them a few months ago, I had to exchange numerous sensitive documents with various employees within the organization. While most of the process was pretty …

Bright City: A Highly Insecure Police and Municipal Government App

Earlier this year I received a Nextdoor message from my County Police Department announcing a “Property LockBox App” they’d released (purchased) for citizens. There was no previous communication regarding this app that I could find, so I was interested in learning more about it. As the app description states, Bright City is “[a] 2-way, dedicated mobile application for cities …

XSS over SMS: Hacking Text Messages in Verizon Messages

Verizon Messages (Message+) is a group of software clients available for mobile, desktop, and web aimed at enhancing/unifying the VZW text messaging experience across multiple devices. While it has a few additional features outside of SMS, I was most interested in activating it for its web app client when at a desktop/laptop. After I installed the Android app and …

Rave Panic Button: Vulnerabilities in a Nationwide Emergency Alert System

A few months ago an article in the local news covering the launch of the Rave Panic Button caught my attention. I hadn’t heard of it before but the idea seemed interesting: efficiently coordinate emergency 9-1-1 notifications across multiple involved parties, i.e. emergency dispatch, on-site employees, and first responders. The system can also share important data about an affected location such as floor plans, emergency contacts, and even surveillance …

Persistent XSS in Verizon’s Webmail Client

I’ve previously written about a server-side vulnerability in Verizon’s webmail client, but I thought it was also worth covering a couple of interesting client-side vulns I discovered that would’ve allowed an attacker to compromise a victim’s entire email account. I started by attempting to identify the allowed HTML elements/attributes in the webmail client. Although there’s probably a better way to …

Why I Helped Draft State-Level Vulnerability Disclosure Legislation (Delaware SB 283)

The adoption of bug bounty programs, or vulnerability disclosure programs, has increased rapidly over the past few years, even extending to industries outside of the technology sector — United Airlines, GM, and the Pentagon are great examples. From enormous organizations like Google and Facebook, to small startups with a handful of employees, companies of all sizes seem to be …