Dark C0d3rs
HackerOne Disclosed Reports - 2026-07-04 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-07-04 (/Thread-HackerOne-Disclosed-Reports-2026-07-04)



HackerOne disclosed reports - 2026-07-04 - hashXploiter - 07-05-2026

Logo
Medium
resolved

Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity


Bug reported by Z was disclosed at July 4, 2026, 11:05 am   |   Improper Access Control - Generic

A vulnerability was discovered in the Basecamp Android app that allowed any installed app to force immediate logout and persistent denial-of-service of authenticated Basecamp sessions. The vulnerability was due to the `com.basecamp.bc4.app.main.start.StartActivity` being declared as exported without any permission guard. This allowed any app to launch it with an explicit intent, terminating the current session and forcing the user back to the login screen. The behavior was confirmed to be reliable, silent, and persistent.