Alohi: Weak rate limit for SIGN.PLUS email verification

zeesozee identified a way to reset the rate limit concerning the "Confirm your email" verification endpoint for new accounts. This increases the chance of successful bruteforce from an attacker who would try to register with a fake email. The issue was fixed immediately...

Alohi: Waitlist bypass for accessing SIGN.PLUS Beta

During SIGN.PLUS beta phase, it was found out that hackers could trick the API response and pretend to have been accepted into the beta program. All server operations would be blocked, but the UI client would be accessible, exposing the work-in-progress design to non-beta users. There was no...