Quantcast
Channel: Vulnerability – Compass Security Blog
Browsing latest articles
Browse All 26 View Live

Image may be NSFW.
Clik here to view.

Ionic Identity Vault Biometric Authentication Bypass

Ionic Identity Vault is a secure storage solution for Android and iOS mobile apps which can be used to store authentication information like access tokens [1]. This information can be protected, so...

View Article


Image may be NSFW.
Clik here to view.

SAML Padding Oracle

ArcGIS [1] is a family of software providing geographic information system services. While testing a customer’s ArcGIS architecture we came across a SAML login flow. In this blogpost we show how we...

View Article


Image may be NSFW.
Clik here to view.

A Years Worth of Active Directory Privilege Escalation

The end of the year is a good time to sit back and reflect for a moment on the past year. So let us take a look at the ten most common ways how I got Domain Admin privileges in our Active Directory...

View Article

--- Article Not Found! ---

*** *** *** RSSing Note: Article is missing! We don't know where we put it!!. *** ***

View Article

Image may be NSFW.
Clik here to view.

Lenovo Update Your Privileges

A journey into the discovery of two privilege escalation vulnerabilities in the Lenovo update functionality. The information in this blog post is related to the the following vulnerabilities detected...

View Article


Image may be NSFW.
Clik here to view.

Device Code Phishing – Add Your Own Sign-In Methods on Entra ID

TL;DR An attacker is able to register new security keys (FIDO) or other authentication methods (TOTP, Email, Phone etc.) after a successful device code phishing attack. This allows an attacker to...

View Article

Bug Bounty: Insights from Our First-hand Experience

At Compass Security, we recently launched our managed bug bounty service. We openly invite hunters to probe our publicly exposed services for vulnerabilities. In return for their valuable feedback, we...

View Article

Image may be NSFW.
Clik here to view.

A Patchdiffing Journey – TP-Link Omada

Introduction Last year we participated in the Pwn2Own 2023 Toronto competition and successfully exploited the Synology BC500 camera. The competition featured a wide range of targets, including popular...

View Article


Image may be NSFW.
Clik here to view.

Three-Headed Potato Dog

Earlier this year, several security researchers published research about using DCOM to coerce Windows systems to authenticate to other systems. This can be misused to relay the authentication to NTLM...

View Article


Image may be NSFW.
Clik here to view.

COM Cross-Session Activation

Once again, reading blogs and tweets from James Forshaw led me to wonder how things work. This time, I was working on DCOM for my last blog post and while reading about cross-session activation, I had...

View Article
Browsing latest articles
Browse All 26 View Live