Full Account Takeover on an MCP OAuth Proxy: Why PKCE Can't Save YouTL;DR: Got an MCP OAuth proxy to hand me real production access tokens for any user who clicked one link. No fake login page. No cert warning. No MFA bypass. The victim actually signs in at the real SApr 21, 2026·8 min read
How a "Fixed" IDOR and an Empty String Led to 5 Million+ File LeaksWhen I start looking at a target in finance, medical, etc, I always go for the most valuable data. In this case, on a major application we'll call "Redacted Corp," that meant file uploads. Invoices, personal documents, signatures... all the PII. Part...Oct 29, 2025·6 min read
More of Games-related Bugs!Exploring Chests or Boxes: Unraveling the Secrets 🎲 In the digital realm of gaming, chests and boxes are akin to Pandora's Box, each unveiling unique rewards and surprises. For instance, you're generally allowed to open a 'Golden Box', but what if, ...Apr 12, 2024·3 min read
Diving Back into Games-related Bugs! , especially, cards related games! 🕹️🎮it's been a while since I tweeted about these kind of flaws, so here we are adding 3 more common bugs I see in games into the list ;) In the landscape of online games, particularly those involving cards or characters, players frequently encounter a...Feb 22, 2024·2 min read
🎮 Diving Back into Games-related Bugs!Daily Rewards? 🗓️ Although we talked about it last time, this specific one can have a lot of attack vectors. Ever wondered if you could trick a game into giving you daily rewards early? Turns out, you often can. It's as simple as playing around wit...Feb 22, 2024·3 min read
🔓 Mastering the Enigma of SSL Pinning Bypass for Desktop Apps & Games 🕹️🔄 A Brief Recap: We've scaled the lower slopes—setting up proxies and redirecting traffic with finesse. Yet, SSL pinning stands as the daunting gatekeeper. It's our mission to deftly pick this lock, unveiling the covert communication within these di...Feb 22, 2024·3 min read
Unveiling the Arcane Art of Intercepting HTTPS Traffic in Desktop Apps & Games!NOTE: This journey is fraught with challenges like SSL pinning - a hurdle I'll tackle in my next post. For now, let's master the basics. ⏪ Quick Recap: In my last thread, we explored bugs in game hacking. Some of you inquired further - how do I inter...Feb 22, 2024·3 min read
