A deep link handler in a ride-hailing Android app accepted attacker-controlled JSON, bypassed its own host allowlist using relative paths, and let any link click book a real ride against the victim's authenticated account.
Mar 31, 2026An exported activity, a data: URI validation bypass, and a JavaScript bridge with no origin check let any zero-permission co-installed app silently steal a 30-day session token from a centralized cryptocurrency exchange's Android app.
Mar 30, 2026A missing domain check in a centralized cryptocurrency exchange's Android WebView wrapper sent the user's full 30-day session token as an HTTP header to a third-party charting domain on every meme coin chart view.
Mar 30, 2026Zero-permission co-installed app silently steals session token in under 5 seconds. Trading, PII, and withdrawal address injection confirmed.
Mar 27, 2026An exported splash activity, a WebView with no domain allowlist, and a JS bridge that returned session tokens to any loaded page let any co-installed app on a centralized crypto exchange's Android client steal a 90-day session with zero user interaction.
Mar 26, 2026Mobile wallet stored and returned full card numbers and CVVs in cleartext. Zero tokenization architecture. Multiple PCI DSS violations.
Mar 26, 2026Unclaimed npm scopes in production bundles. Both orgs registered to prove exploitability. Single compromised build affects all brands.
Mar 23, 2026AES key from iOS binary decrypts 10 API secrets. Forged Apple Wallet loyalty passes for any customer.
Mar 21, 2026A drugstore chain's Android app inserted a deep link parameter unsanitized into a WebView URL, where a URL fragment bypassed the regex domain check and loaded an attacker page inside the official app, leaking the session token on first load.
Mar 21, 2026Unsandboxed plugin iframes had full native bridge access. Opening a shared board silently poisoned the clipboard, dropped files to storage, and opened attacker URLs in Chrome.
Mar 20, 2026