Recent Blog Posts
The Akamai Origin Disclosure Non-vulnerability
When working for my employer Sentor I discovered an origin disclosure vulnerability in Akamai GTM, but they didn’t agree it was a vulnerability. I blogged about it on the company blog: The Akamai origin disclosure non-vulnerability
read more
Vulnerability Disclosure: Authentication Bypass in Auth0
When working for my employer Sentor I discovered an authentication bypass vulnerability in Auth0. I blogged about it on the company blog: Vulnerability disclosure: Authentication bypass in Auth0
read more
Vulnerability Disclosure: Session Fixation in Auth0
When working for my employer Sentor I discovered a session fixation vulnerability in Auth0. I blogged about it on the company blog: Vulnerability disclosure: Session fixation in Auth0
read more
Mobile Authenticator Apps Algorithm Support Review - 2023 Edition
Last week my favorite IT security podcast Bli säker (Become Secure in English) published the episode The Epochalypse and the QR Code (only in Swedish) where they explained the techonology behind mobile authenticator apps. I felt I needed to refresh my TOTP algorithm support investigation from 2019 before the recording of the next episode of the Bli säker podcast. :)
So this is an update to the blog post I published in July 2019 called Many Common Mobile Authenticator Apps Accept QR Codes for Modes They Don’t Support.
read more
Man-in-The-Middle Session Fixation in Securitas Direct My Pages
During 2021 I had access to a facility equipped with an alarm system from Securitas Direct. I had access as a regular user to Securitas Direct’s My Pages at mypages-pro.securitas-direct.com, which is used to administer some aspects of one’s security alarm installation. That web application suffered a CWE-384 Session Fixation vulnerability which can be used by an attacker in a so-called Man-In-The-Middle (MiTM) position.
Home page of Securitas Direct My Pages In summary, if an attacker is on the same network as the victim or somewhere else between the victim and Securitas Direct’s server, and if the attacker can make the victim’s browser make an unencrypted HTTP request to a subdomain of securitas-direct.
read more