Ionic Identity Vault Biometric Authentication Bypass
Ionic Identity Vault is a secure storage solution for Android and iOS mobile apps which can be used to store authentication information like access tokens [1]. This information can be protected, so...
View ArticleSAML Padding Oracle
ArcGIS [1] is a family of software providing geographic information system services. While testing a customer’s ArcGIS architecture we came across a SAML login flow. In this blogpost we show how we...
View ArticleA Years Worth of Active Directory Privilege Escalation
The end of the year is a good time to sit back and reflect for a moment on the past year. So let us take a look at the ten most common ways how I got Domain Admin privileges in our Active Directory...
View Article--- Article Not Found! ---
*** *** *** RSSing Note: Article is missing! We don't know where we put it!!. *** ***
View ArticleLenovo Update Your Privileges
A journey into the discovery of two privilege escalation vulnerabilities in the Lenovo update functionality. The information in this blog post is related to the the following vulnerabilities detected...
View ArticleDevice Code Phishing – Add Your Own Sign-In Methods on Entra ID
TL;DR An attacker is able to register new security keys (FIDO) or other authentication methods (TOTP, Email, Phone etc.) after a successful device code phishing attack. This allows an attacker to...
View ArticleBug Bounty: Insights from Our First-hand Experience
At Compass Security, we recently launched our managed bug bounty service. We openly invite hunters to probe our publicly exposed services for vulnerabilities. In return for their valuable feedback, we...
View ArticleA Patchdiffing Journey – TP-Link Omada
Introduction Last year we participated in the Pwn2Own 2023 Toronto competition and successfully exploited the Synology BC500 camera. The competition featured a wide range of targets, including popular...
View ArticleThree-Headed Potato Dog
Earlier this year, several security researchers published research about using DCOM to coerce Windows systems to authenticate to other systems. This can be misused to relay the authentication to NTLM...
View ArticleCOM Cross-Session Activation
Once again, reading blogs and tweets from James Forshaw led me to wonder how things work. This time, I was working on DCOM for my last blog post and while reading about cross-session activation, I had...
View Article