Slack: Lack of URL normalization renders Blocked-Previews feature ineffectual

Slack has a feature known as Blocked Previewsblocked-previews, which allows Workspace Owners and Admins to specify a list of URLs for which no link preview should occur. The point of this feature is to reduce clutter and prevent harmful content from getting embedded in the workspace. However, whe...

Uber: The Microsoft Store Uber App Does Not Implement Server-side Token Revocation

Summary The Microsoft Store Uber App Windows Phone Architecture does not properly revoke or expire a rider's x-uber-token upon app signout. Security Impact When a user logs out/signs off of the app, the logout process is handled only locally on the application side, and without any type of...

Bluetooth Smart MITM Framework: BtleJuice

Bluetooth Smart MITM Framework BtleJuice is a complete framework to perform Man-in-the-Middle attacks on Bluetooth Smart devices also known as Bluetooth Low Energy. It is composed of: an interception core an interception proxy a dedicated web interface Python and Node.js bindings How to install...

Internet Bug Bounty: CVE-2016-0772 - python: smtplib StartTLS stripping attack

python smtplib starttls stripping attack affects: basically all versions of smtplib with starttls support and projects relying on it python 2.7.2 - 2.7.11 dates back 14 years python 3.0 - 3.5.1 dates back 7 years Python's implementation of smtplib fails to raise an exception upon an unexpected...