Engineering notes from the trenches.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
Reverse-engineering APIs, automation that survives production, security research, and honest takes on the tools I ship with.
4 posts ← reset filters
A critical missing authorization check in FUXA's Scheduler API allowed any authenticated operator to create or modify scheduled device actions—escalating to full admin control over SCADA operations. Breakdown of the attack, detection, and fix.
A comment in nebula-mesh's code confesses the design flaw: API trusts the bearer token for authorization. Here's why that breaks multi-tenant isolation, how to spot the pattern, and how to fix it before it becomes an incident.
CVE-2026-6456 exposes a critical privilege escalation in the WordPress Account Switcher plugin through a loose comparison flaw in its REST API. Here's how it works and what to do right now.
A high-severity improper authentication flaw in Motorola's pre-installed Factory Test app (com.motorola.motocit) exposes a writable file descriptor in external storage, letting any local app escalate privileges without user interaction.