Effortless Password Audits

Passwords. They are the keys to our digital kingdoms. And these days most organisations will have security controls in place, such as 2 Factor Authentication, to complement the traditional password and help prevent credential stuffing attacks. (sidenote: did you know that 2FA deployed on your Exchange server can be effortlessly bypassed?)

Read more

Paul Price

01 November 2018


Online Stalking: London, Paris, New York

Much like the Strava controversy a few weeks ago, this is a great example of how seemingly innocent data can be used for nefarious purposes.

Read more

Daniel Faram

13 February 2018


Domino's: Pizza and Payments

Read more

Paul Price

04 April 2016


Owning Philips In.Sight IP Cameras

This is a continuation from my previous post but this time we'll be taking a look at the device itself, the Philips In.Sight M100. The end goal is to pop a root shell on the device which we successfully accomplish by exploiting mutiple vulnerabilities.

Read more

Paul Price

30 Jan 2015


Yoics: account takeover vulnerability

Yoics market themselves as "secure cloud networking" and is a service that allows you to "Internet access (almost) anything". Many top brands use Yoics in their devices; Cisco, Astak, Philips and more. A good example is the Philips In.Sight M100 Wireless Home Monitor.

Read more

Paul Price

29 January 2015


Moonpig Vulnerability

Moonpig are one of the most well known companies that sell personalised greeting cards in the UK. In 2007 they had a 90% market share and shipped nearly 6 million cards. In July 2011 they were bought by PhotoBox.

Read more

Paul Price

05 January 2015


National Express print-at-home vulnerability

This is a fine example of developers being lazy and how not to implement "security".

Read more

Paul Price

25 September 2014


Cerberus anti-theft – an exploit allowing you to access any device

You may or may not have heard of Cerberus, an anti-theft application for Android devices. Cerberus allows you to remotely control your device if it has been lost or stolen. Features include: locate and track your device, start alarms, get a list of recent calls, download SMS messages, take pictures, record video, record audio and much more – all of which is done discreetly without the “thief” knowing so you can track your phone down and attempt to recover it. Pretty cool, right? Now imagine if anyone could access your device and listen to your conversations. A security hole in Cerberus allows just that.

Read more

Paul Price

19 December 2013


Funky Pigeon - account take over

If you have an account with FunkyPigeon.com then you should be extremely concerned. It is possible for an attacker to gain access to your account which can contain your address details, recent orders, any uploaded photos, your contacts (and their addresses) and your reminders – all of this information can be changed, as well as your password, e-mail address and “security” question. An attacker could use your account balance to order a card in your name.

Read more

Paul Price

24 October 2013