The March 23th, Guillaume Lopes gave a talk at BSides Dublin about how to bypass the payment on Google Play Billing API. Synopsis: In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps […]

[Conference] BSides Dublin 2019 – Abusing Google Play Billing for ...

Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges. The attack has been unveiled last week, strangely without a lot of media coverage (but things seem to change, the daily blogpost of the SANS ISC covered […]

[PrivExchange] From user to domain admin in less than 60sec ...

Guillaume Lopes (@Guillaume_Lopes) and Davy Douhine (@ddouhine), senior pentesters, will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers or just curious a 100% hands-on 2 days mobile training. Goal is to introduce tools (Adb, Apktool, Jadx, Cycript, Frida, Hopper, Needle, etc.) and techniques to help […]

[Training/Conference] HIP – Mobile Hacking Training (17/18 June)

Client side validation Client side validation is a common weakness found during penetration tests and security audits performed by Randorisec. Because client side is by definition… on the user side, it can be altered by the user and sometimes it can be done quite easily. Netflix Parental Control PIN A […]

Client side validation strikes again: PIN code bypass !