resolved
Responsible disclosure - public S3 bucket exposing JSON/config files
Bug reported by was disclosed at November 14, 2025, 7:25 pm | Information Disclosure
A publicly listable S3 bucket was discovered, exposing various JSON and configuration files. The bucket listing and file metadata were retrievable without authentication.
resolved
Authentication Token Theft via Open Redirect in Callback URL Parameter
Bug reported by Sle3pyHead was disclosed at November 14, 2025, 3:26 pm | Insufficiently Protected Credentials
A vulnerability was identified in the email signup flow of a website that enabled authentication token theft through manipulation of the callback URL parameter. The vulnerability occurred when an attacker modified the callbackUrl parameter during the email signup process to point to an attacker-controlled domain. When a victim completed the email verification process by clicking the verification link, they were redirected to the malicious domain along with their authentication tokens. The redirection happened automatically as part of the normal signup flow. The vulnerability was caused by insufficient validation of the callback URL parameter and leveraged the trust users place in legitimate verification emails.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
