Multiple Vulnerabilities in ShowingTime

My wife and I were selling our home last year and we ended up being pretty satisfied with our Realtor team, partially due to their adoption of technology. One example was their use of ShowingTime, which is a Real Estate Showing Management System that, among other things, allows sellers to easily confirm or reschedule showing requests from an app or …

Reverse Engineering the Subway Android App

It’s great to see the increasing adoption of certificate pinning in Android apps. When I run into an app that throws connection errors while attempting to proxy requests, I tend to become more interested in diving deeper. Such was the case when I recently used the Subway app. Reversing the APK revealed cert pinning  among some other interesting findings. Starting the app …

Attacking Z-Way Controlled Home Automation Devices

I recently purchased a RaZberry board for one of my Raspberry Pis in order to begin my path towards home automation. I chose the RaZberry board, rather than a traditional Z-Wave controller, mainly due to its integration with the Raspberry Pi. This allowed me programmatic access to both the Z-Wave protocol as well as GPIO devices, which was important …

Privacy Vulnerability in TurboTax’s API

In the spirit of tax day, I wanted to write about my experience in reporting a privacy vulnerability in the most popular tax preparation software on the market: Intuit’s TurboTax. I have been using TurboTax for quite a few years for my taxes and this year I found they offered an Android app. At first, I wondered …

Wawa Rewards Gift Card Takeover Vulnerability

Wawa stores are a favorite among customers in Pennsylvania, New Jersey, Delaware, and beyond. When the company recently announced a new Android app to launch with their rewards program, I was interested in installing it and researching how it worked. Soon after registering and associating a gift card to my account, I discovered a serious vulnerability that would allow an …

How I Cracked Trivia Crack

Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It’s the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I’ve never been very interested in gaming, my wife has recently become a huge fan …

Visa and Other Gift Card Transactions Exposed by GoWallet Vulnerability

I recently received a Visa Gift Card and decided to use GoWallet to manage it, as advertised on the card’s packaging. GoWallet offers the ability to manage most types of gift cards, allowing a user to view their card’s current balance and past transactions. I signed up on their website and associated the card to my account. …

Delmarva Power (Pepco) Account Takeover Vulnerability

I’ve been a long time customer of Delmarva Power, but only recently learned they had an Android App. I decided to install it and see how it worked behind the scenes. I quickly realized their API suffered from multiple IDORs, allowing an attacker to a completely takeover any user’s account. As usual, I monitored the requests in the App by …