Chaining Multiple Vulnerabilities to Gain Admin Access

In April of this year I participated in a private program on HackerOne that was vulnerable to a series of IDOR that led to a complete takeover of an application. Unfortunately because this is a private program, I cannot disclose the name or company related information per their request. However I wanted to share the details on how I escalated my basic privileges from a regular “customer” account to an admin user.

Exploiting ImageMagick to get RCE on Polyvore (Yahoo Acquisition)

On 5/5/2016 ImageMagick was assigned CVE-2016-3714 “ImageMagick Delegate Arbitrary Command Execution”. Now let’s dig to this vulnerability and how to exploit this.  Having ImageMagick locally installed is advised in order to validate the POC (but not required). For this particular report, I created a file named  exploit.png with the following in the “source code” to get the target’s `id`:

Apple Pages, Numbers, Keynote Input Validation and XXE (CVE-2015-7032)


In June of 2015, Patrik Fehrenbach and I were able to identify a series of vulnerabilities in a few of Apple’s productivity applications: Pages, Numbers, as well as Keynote available for OS X and iOS 8.x (or older). In short, the application failed to validate the input while parsing a document.

Yahoo Image Processing SSRF/XSPA

In this blog post I will be showing a few recent vulnerabilities reported and patched by the Yahoo Security Team. In July of 2014 I was able to identify a SSRF vulnerability affecting all of Yahoo’s services that required an image processing (such as flickr and Yahoo groups). This vulnerability was patched a few weeks ago (June 2015). Now let’s get to the good stuff:

Yahoo Remote Command Execution via Admin/Upload Bypass

Hello Everyone, Recently I was analyzing an XSS vulnerability on one of Yahoo’s Subdomains where I decided to also analyze the HTTP Headers. While doing so I came across the admin login page on (hk.yahoo.net), due to the fact that the search was being posted to search module from the admin panel.  Well that’s not the best part!