Womuntio

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...

I’ve been exploring AI tools for a while, testing how their features and limitations work in real-world use. Recently, while using Claude AI , I discovered something unusual — a loophole that lets you completely bypass the daily or monthly usage limits on free-tier accounts. This isn’t a hack in the sense of stealing data or breaking into systems. It’s more of a flaw in the way Claude AI enforces its usage limits. But the effect is still serious — it allows unlimited free usage in a way that clearly wasn’t intended and can have major business consequences for the platform. What I Discovered Claude AI, like many AI platforms, offers a free tier with certain restrictions. These restrictions — daily or monthly usage quotas — are meant to manage resources and encourage users to upgrade to a paid plan. However, while testing, I noticed that the limits only apply to the active account you’re logged into. Once the account is deleted, those usage counters are wiped out completely. Even more su...

Summary While testing Instagram’s mobile app, I discovered a serious vulnerability in how the platform handles multi-account creation. Instagram silently enables SMS-based two-factor authentication (2FA) on a newly created account by reusing a previously verified phone number— without requesting any verification code or user consent . How I Found the Issue Logged into Account A with SMS-based 2FA and authenticator app enabled. Within the same app session, used Add Account → Create New Account option. Created Account B using the same Gmail address as Account A. Navigated to Settings → Security → Two-Factor Authentication → Text Message on Account B. Noticed that the phone number from Account A was already linked, and SMS 2FA was enabled without any OTP prompt or verification . Expected vs Actual Behavior Feature Expected Behavior Actual Behavior 2FA Setup Instagram should prompt to verify phone via OTP for Account B. SMS-based 2FA enabled silentl...

While testing Facebook Messenger Lite on a device with multiple accounts logged in, I noticed something odd — and concerning. Changing the active status (online/offline) in one account was also changing it for all other logged-in accounts on that device, without any warning or consent. Messenger Lite is supposed to let each account control its own privacy settings. Active status is a key part of that — it tells people whether you’re online and available to chat. Users often rely on it to appear offline when they want privacy. But in my testing, this independence between accounts didn’t exist. How I Found the Issue I first noticed the behavior when I switched between two accounts on the same phone. I was logged into User A and turned off my active status so that no one could see I was online. Later, I switched to User B and saw that User B’s active status was also set to OFF — even though I had never changed it for that account. Even stranger, when I toggled User A’s status again, Use...

Background Discovery Summary Description of the Vulnerability Steps to Reproduce (at time of discovery) Security and Privacy Impact Business Impact Conclusion While managing multiple social media accounts for business, I relied heavily on Facebook Creator Studio to handle Instagram messages and comments from my desktop. Creator Studio simplifies responding to DMs and comments without switching devices. In 2022, I discovered a critical privacy vulnerability related to how Creator Studio handles Instagram integration. After disconnecting a Facebook Page from an Instagram account—which I had sold to a new owner—I realized I still retained full access to that Instagram account’s private messages and comments, despite no longer owning it. Disconnecting the Facebook Page–Instagram link should immediately revoke all access. Instead, the visible connection was removed, but the backend kept the communication channel active. Even after disconnection, I could: View all existing and inc...

Facebook offers a setting that lets users control who can see the number of likes on their posts. For those who value privacy, setting the visibility to “Only Me” should ensure that no one else can view those numbers. It’s a straightforward option — simple in design and clear in purpose. While using this feature, I found that it doesn’t work the same way across all parts of Facebook. Even if I hide likes on a post, those numbers can still be seen by others when the post appears as a Reel. This gap in privacy enforcement makes it possible for someone to see engagement data that I had explicitly chosen to keep private. Description of the Issue The problem occurs because the “Only Me” setting for like visibility is applied only to the main post view. When that same content is shown in Facebook’s Reels section, the like count becomes visible again to anyone who views it. This means that a privacy setting that works in one part of the app is ignored in another. For example, I set my post’s ...

Instagram is one of the most popular social media platforms worldwide, and its mobile app supports managing multiple accounts seamlessly. Users can switch between different Instagram profiles without logging out, making it easier to separate personal, business, or other accounts on the same device. One of Instagram’s essential security features is two-factor authentication (2FA), which adds an extra layer of protection by requiring users to verify their identity beyond just a password. Among the available 2FA methods, SMS-based verification is widely used due to its simplicity and effectiveness. However, while testing Instagram’s multi-account creation process, I uncovered a surprising flaw related to SMS-based 2FA that could impact user security and privacy. Description of the Issue While logged into an Instagram account with 2FA enabled using SMS and an authenticator app, I used the “Add Account” → “Create New Account” feature to register a second account with the same Gmail addr...

TikTok is one of the fastest-growing social media platforms, popular especially among young users for short-form videos and creative content. As a user and tester of the app, I’m aware that privacy controls are important features for managing interactions and keeping unwanted attention at bay. A couple of years ago, I discovered a serious privacy issue related to TikTok’s tagging and mention settings. The app provided a way for users to disable tagging and mentions in their privacy preferences — a key control designed to help people avoid harassment, spam, or unwanted notifications. However, I found that even when these settings were turned off, it was still possible for other users to tag or mention someone, completely bypassing the privacy control. Description of the Issue The root cause of this problem was a business logic flaw in TikTok’s backend systems. Although the app’s user interface offered the option to disable tags and mentions, the backend did not enforce this restriction ...

OpenAI’s ChatGPT has become an essential tool for many users, especially those using GPT-4o — the paid model offering advanced capabilities. To manage costs and resources, OpenAI enforces message caps for GPT-4o users, limiting how many messages can be sent in a session. While exploring the behavior of ChatGPT after hitting these message limits, I discovered a subtle but impactful business logic flaw that allowed me to bypass the cap and continue conversations without waiting or starting a new chat. This wasn’t a traditional bug like code injection or cross-site scripting but a design issue affecting rate limiting and resource control. Description of the Issue When using GPT-4o, once you reach the message cap, the system is supposed to block further messages in that chat session until you start a new one or wait for the limit to reset. However, I found that by using the “Share Chat” feature, I could circumvent this restriction. Here’s what happens: after hitting the message limit,...

Finding a Session Logout Flaw on OpenAI’s Platform While using OpenAI’s services, I noticed a subtle but important issue with how sessions are managed across devices. Specifically, the “Log out of all sessions” feature on the OpenAI web platform didn’t log me out from the mobile app. Description of the Issue I was logged into my OpenAI account at the same time on two devices: my desktop browser (Chrome) and the OpenAI mobile app on an Android device. When I chose “Log out of all sessions” from the desktop web interface, I expected that my account would be signed out everywhere — on both desktop and mobile. However, after about 30 minutes, I opened the mobile app and found that I was still logged in. Even after force-closing and reopening the app, it did not ask me to log in again. This showed that the mobile session remained active despite my explicit command to log out everywhere. Steps to Reproduce Log into OpenAI on both a desktop browser and the mobile app using the same account....

Discovering a Privacy Issue with Snapchat Web Notifications While using Snapchat Web, I came across a surprising privacy problem related to notifications. This happened on November 23, 2022, when I noticed that even after logging out from Snapchat’s web session, notifications for snaps and video calls kept arriving. Description of the Issue I was logged into Snapchat Web on Chrome. Then, I changed my Snapchat password from the mobile app, which should have logged me out from all active sessions, including the browser session. Although the web session did log out properly, I kept receiving notifications on that browser for incoming snaps and video calls. This suggested a problem in how Snapchat handled session tokens or notification services. Despite being logged out, the browser was still allowed to receive private notifications, which felt like a major privacy breach. To confirm, I recorded a proof-of-concept video showing notifications arriving on the logged-out session in real time....

Discovering Persistent Data on LinkedIn After Profile Deletion While exploring how LinkedIn handles user data, I found a surprising issue: even after deleting personal information from my profile, some of that data still appeared internally on the platform. Description of the Issue I removed all personal details from my LinkedIn profile — including my bio, job history, and other sensitive information. Despite this, an old company name I had worked for, “That Wild Arc Studio,” still showed up in the “Add to Featured” section when I was managing my profile. This data wasn’t visible publicly on my profile, and visitors couldn’t access it. However, LinkedIn’s internal system was still surfacing this supposedly deleted information in suggestions and feature prompts. Steps to Reproduce Log into LinkedIn and remove or delete personal and professional information from your profile, such as job history and bio. Navigate to the “Add to Featured” section or similar areas in your profile set...

Finding a Security Flaw in LinkedIn’s Google Single Sign-On Integration While reviewing LinkedIn’s account security features, I discovered a serious problem with how their Google Single Sign-On (SSO) works—one that could let someone bypass password resets and logouts. Description of the Issue Normally, when you change your LinkedIn password and select the “log out from all devices” option, you expect all your active sessions to be closed. This helps protect your account if you think someone else has access. However, I found that if someone remains logged into the Gmail account linked to your LinkedIn, they can simply click “Sign in with Google” on LinkedIn and immediately regain access—without needing your old password or any additional verification. This means LinkedIn trusts the active Google login session more than your explicit request to log out everywhere, which breaks the security model users rely on. Steps to Reproduce Log into LinkedIn using Google SSO tied to your Gmail acc...

Discovering a Delay in LinkedIn Mobile App Lock Security While testing LinkedIn’s mobile app, I came across a subtle but important flaw involving the app lock feature. This feature is meant to protect user data by requiring re-authentication whenever the app is reopened. Description of the Issue The app lock is designed to activate immediately when you return to LinkedIn, requiring either a password or biometric verification. However, I noticed that when you open a link inside LinkedIn—like a profile link—and it opens externally in Chrome, the app lock doesn’t trigger right away after returning to LinkedIn. Instead, there can be a delay of up to a full minute where the LinkedIn app remains unlocked and fully accessible without any authentication. Steps to Reproduce Open the LinkedIn mobile app and log in. Click on a link inside the app (for example, a profile link) that opens in the Chrome browser. Browse in Chrome for some time. Return to the LinkedIn app. Observe that t...

Discovering a Two-Factor Authentication Bypass in TikTok’s Third-Party Login While performing routine security testing, I found a critical vulnerability in TikTok’s authentication system that allows two-factor authentication (2FA) to be bypassed when logging in via third-party apps. Description of the Issue TikTok offers a “Sign in with TikTok” option that lets users access third-party apps like CapCut without entering separate credentials. However, I noticed that when using this method, the second step of verification—2FA—is completely skipped. Even if 2FA is enabled on the TikTok account, the login process through the third-party app never asks for the second authentication factor. This effectively grants full access to the account with just a username and password, undermining the core security that 2FA is meant to provide. Steps to Reproduce Enable two-factor authentication on a TikTok account. Use a third-party app, such as CapCut, that supports “Sign in with TikTok.” Atte...

 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...