Posts

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Post a Comment
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Post a Comment
Read more

Bypassing Claude AI Free-Tier Rate Limits via Account Deletion and Recreation

I’ve been exploring AI tools for a while, testing how their features and limitations work in real-world use. Recently, while using Claude AI , I discovered something unusual — a loophole that lets you completely bypass the daily or monthly usage limits on free-tier accounts. This isn’t a hack in the sense of stealing data or breaking into systems. It’s more of a flaw in the way Claude AI enforces its usage limits. But the effect is still serious — it allows unlimited free usage in a way that clearly wasn’t intended and can have major business consequences for the platform. What I Discovered Claude AI, like many AI platforms, offers a free tier with certain restrictions. These restrictions — daily or monthly usage quotas — are meant to manage resources and encourage users to upgrade to a paid plan. However, while testing, I noticed that the limits only apply to the active account you’re logged into. Once the account is deleted, those usage counters are wiped out completely. Even more su...
Post a Comment
Read more

Critical 2FA Phone Number Auto-Enablement Flaw in Instagram Multi-Account Setup

Summary While testing Instagram’s mobile app, I discovered a serious vulnerability in how the platform handles multi-account creation. Instagram silently enables SMS-based two-factor authentication (2FA) on a newly created account by reusing a previously verified phone number— without requesting any verification code or user consent . How I Found the Issue Logged into Account A with SMS-based 2FA and authenticator app enabled. Within the same app session, used Add Account → Create New Account option. Created Account B using the same Gmail address as Account A. Navigated to Settings → Security → Two-Factor Authentication → Text Message on Account B. Noticed that the phone number from Account A was already linked, and SMS 2FA was enabled without any OTP prompt or verification . Expected vs Actual Behavior Feature Expected Behavior Actual Behavior 2FA Setup Instagram should prompt to verify phone via OTP for Account B. SMS-based 2FA enabled silentl...
Post a Comment
Read more

When One Toggle Controls Them All: Active Status Sync Issue in Messenger Lite

While testing Facebook Messenger Lite on a device with multiple accounts logged in, I noticed something odd — and concerning. Changing the active status (online/offline) in one account was also changing it for all other logged-in accounts on that device, without any warning or consent. Messenger Lite is supposed to let each account control its own privacy settings. Active status is a key part of that — it tells people whether you’re online and available to chat. Users often rely on it to appear offline when they want privacy. But in my testing, this independence between accounts didn’t exist. How I Found the Issue I first noticed the behavior when I switched between two accounts on the same phone. I was logged into User A and turned off my active status so that no one could see I was online. Later, I switched to User B and saw that User B’s active status was also set to OFF — even though I had never changed it for that account. Even stranger, when I toggled User A’s status again, Use...
Post a Comment
Read more

When Disconnecting Isn’t Enough: Instagram Messages Leak via Creator Studio

Background Discovery Summary Description of the Vulnerability Steps to Reproduce (at time of discovery) Security and Privacy Impact Business Impact Conclusion While managing multiple social media accounts for business, I relied heavily on Facebook Creator Studio to handle Instagram messages and comments from my desktop. Creator Studio simplifies responding to DMs and comments without switching devices. In 2022, I discovered a critical privacy vulnerability related to how Creator Studio handles Instagram integration. After disconnecting a Facebook Page from an Instagram account—which I had sold to a new owner—I realized I still retained full access to that Instagram account’s private messages and comments, despite no longer owning it. Disconnecting the Facebook Page–Instagram link should immediately revoke all access. Instead, the visible connection was removed, but the backend kept the communication channel active. Even after disconnection, I could: View all existing and inc...
Post a Comment
Read more

Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook offers a setting that lets users control who can see the number of likes on their posts. For those who value privacy, setting the visibility to “Only Me” should ensure that no one else can view those numbers. It’s a straightforward option — simple in design and clear in purpose. While using this feature, I found that it doesn’t work the same way across all parts of Facebook. Even if I hide likes on a post, those numbers can still be seen by others when the post appears as a Reel. This gap in privacy enforcement makes it possible for someone to see engagement data that I had explicitly chosen to keep private. Description of the Issue The problem occurs because the “Only Me” setting for like visibility is applied only to the main post view. When that same content is shown in Facebook’s Reels section, the like count becomes visible again to anyone who views it. This means that a privacy setting that works in one part of the app is ignored in another. For example, I set my post’s ...
Post a Comment
Read more