Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
3 posts ← reset filters
The @agenticmail/mcp package, an AI agent for email, shipped with a default HTTP endpoint that has zero authentication. Here's why that's a disaster, what it means for the MCP ecosystem, and how to lock it down.
CVE analysis of Flask-Security-Too 5.8.0's OAuth reauthentication bypass where verifying a different user's OAuth identity marks the session as fresh, enabling privilege escalation.
A default empty API client token in phpMyFAQ lets any unauthenticated user create and modify FAQ entries, categories, and questions via the REST API. Here's what happened, why it matters, and how to fix it.