Reports

18 published reports Critical and High severity All targets anonymized
critical 8 countries affected

Hardcoded AES Key in iOS App Enables Loyalty Card Forgery Across 8 Countries

AES key from iOS binary decrypts 10 API secrets. Forged Apple Wallet loyalty passes for any customer.

Mar 21, 2026
iOSReverse EngineeringHardcoded Secrets
critical $10 to $365

Race Condition Turns $10 Gift Card into $365

Non-atomic refund API allowed gift card balance multiplication. Reproduced 4/4 on production.

Mar 16, 2026
AndroidRace ConditionBusiness Logic
critical Government API exposed

Hardcoded API Key in Android App Exposes Government Identity Verification Service

API key in APK granted access to police check verification. Full name, DOB, address, criminal history downloadable.

Mar 5, 2026
AndroidHardcoded SecretsGovernment
critical Wallet drain

Deep Link Injection in DApp Browser Enables Wallet Drain

Unvalidated deep link parameter loaded attacker page with full transaction signing bridge access.

Mar 5, 2026
AndroidDeep LinksWallet
high Cross-tenant data

Unauthenticated Supabase RPC Exposes Cross-Tenant Invoice Data

Unauthenticated database function returned invoices from other organizations including payment links.

Mar 5, 2026
WebAccess ControlHealthcare
critical Zero-click ATO

Push Notification Forgery via Exported Activity Leads to Zero-Click Account Takeover

Deterministic encryption + exported activity. Forged push notification steals session tokens without any user interaction.

Mar 4, 2026
AndroidAccess ControlCryptography
high Official branded phishing

Hardcoded Branch.io Key Enables Official Branded Phishing Links

SDK key from APK created unlimited verified deep links. Chained with unfiltered WebView for in-app credential theft.

Mar 4, 2026
AndroidHardcoded SecretsPhishing
critical One-tap ATO

Deep Link + JS Bridge Chain to Full Account Takeover

Three chained flaws in a crypto exchange's Android app gave full account access from a single tap.

Mar 2, 2026
AndroidDeep LinksJS Bridge
critical Permanent impersonation

Unauthenticated Zendesk JWT Enables Full Support System Impersonation

No-auth endpoint generated support tokens for any user. Read conversations, download KYC docs, send messages as victim.

Mar 2, 2026
WebAuthenticationData Exposure
critical All users affected

Hardcoded RSA Key in Native Library Enables Remote Wallet Compromise

RSA-2048 key extracted from a .so file in 5 seconds. Forged push notifications to any wallet user.

Feb 26, 2026
AndroidReverse EngineeringHardcoded Secrets