Posts

I started bug bounty in 2019, but in many ways, I didn’t fully jump in until mid-2023. I began hacking exclusively on Tesla’s program and had some good success. My first report was a hardware vulnerability in their infotainment system. Over time, I expanded into both hardware and web vulnerabilities, eventually working my way into the top 10 all-time on their program - where I still stand today. That said, my participation was sporadic. I’d lock in for a month and find something cool, followed by stretches of inactivity. Tesla is an incredibly hardened company with a fantastic internal security team. Easy wins are rare. But in hindsight, starting there taught me a ton about discipline, rigor, and going deep. I believe sticking with a single, tough program early on, and hacking for fun rather than primarily for profit or bounties, made me a stronger hacker. ...

Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user. Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser. This capability wasn’t a hypothetical. I recently identified a security vulnerability in the Verizon Call Filter iOS app which made it possible for an attacker to leak call history logs of Verizon Wireless customers. ...

As a part-time bug bounty hunter, I’ve found reducing friction in my testing to be especially important. Being able to quickly look at the behavior of an application to take advantage of downtime is very important to me. With that I’ve come up with a bit of an uncommon workflow where I not only proxy traffic from iOS devices, but will also look through the request history and even modify and replay requests, all from my iPhone or iPad. ...

Summary We (Julien Ahrens @MrTuxracer and myself @Evan_Connelly) identified nearly 30 popular apps, as well as a feature within iOS itself, vulnerable to an attack in which any installed iOS app from the Apple App Store could perform an account takeover of victim users. This vulnerability exploits the nuances of the OAuth protocol and iOS’s handling of Custom URL Schemes and Safari browser sessions to steal OAuth Authentication Codes from vulnerable OAuth implementations, thereby allowing an attacker to gain access to a victim’s account. ...

If an OAuth Authorization Server (AS) supports self-registration of client applications, and also supports silent authentication, it likely is possible to utilize the AS as an open redirector. Self-Registered OAuth Client Applications A significant factor in OAuth’s wide adaptation is the ability for developers to register their own client applications on various platforms. This is often done via a self-registration process, which is a major part of OAuth’s flexibility and widespread adoption. ...

In testing various Tesla web applications as part of the Tesla Bug Bounty Program, I’ve created many Tesla user accounts. At some point, while creating a new account, I became curious if I could register an account using a Tesla email address. For background, Tesla has many web apps. When it comes to SSO for all of these apps, Tesla has two main Identity Providers (IdPs), auth.tesla.com for external users and sso.telsa.com for employees. My testing involved the public auth.tesla.com. ...