Womuntio

You know that moment when you carefully set an app's permissions to "Ask every time"? When you go into Settings, find that app, and make sure it only gets access to your microphone or camera when you explicitly allow it? You feel good about it. You're in control, right? Yeah, about that. I've been testing Android's one-time permission system, particularly with apps like WhatsApp. I set the microphone permission to "Ask every time" because I wanted tight control over when the app could listen. But what I discovered was something that doesn't quite match what Android's documentation promises. Guess what? There's a gap. A small one, but it matters. Wait, How Does This Work? Here's the thing most people don't know: when you close an app after granting one-time permission, Android doesn't always revoke it instantly. Think about it. You finish a WhatsApp call, swipe the app away from your recent apps, and assume that's it...

You know that moment when you're careful about app permissions? When you go into Settings, find that sketchy app, and revoke its access to your camera, location, or files? You feel good about it. You're in control, right? Yeah, about that. I've been using Google Gemini since it launched. I gave it access to pretty much everything - camera, files, location, the works. Recently, I decided to clean things up. Went into Android settings, revoked all of Gemini's permissions, deleted the app, and reinstalled it fresh. Guess what? Gemini still had access to everything. Wait, How Is That Even Possible? Here's the thing most people don't know: Gemini doesn't actually need your permission if you've already given it to the Google app. Think about it. The Google app comes pre-installed on almost every Android phone. During setup, you probably granted it a bunch of permissions without thinking twice. Camera, microphone, location, files - whatever it asked for,...

Affected Feature Facebook Creator Studio's Instagram account linking system. Creator Studio lets you manage Instagram messages and comments from desktop by connecting your Instagram account to a Facebook Page. How to Reproduce Connect an Instagram account to a Facebook Page through Creator Studio Use Creator Studio to manage that Instagram account's DMs and comments Go to Facebook settings and disconnect the Instagram account from the Page Go back to Creator Studio You still have full access to read and reply to Instagram DMs and comments The disconnection only removed the visible link. The backend authorization stayed active, so I could keep accessing everything like nothing changed.

Affected Feature Facebook's like visibility privacy setting. Users can choose "Only Me" to hide the number of likes on their posts from everyone else. This setting is supposed to keep engagement numbers private. How to Reproduce Create a post on Facebook and set like visibility to "Only Me" Verify the like count is hidden when viewing the post normally Log into a different Facebook account Find the same content in the Reels section The like count is now fully visible, even though it's set to private The privacy setting only applies to the regular post view. When the same content shows up as a Reel, Facebook ignores the setting completely.

Affected Feature TikTok's privacy settings for disabling tags and mentions. Users can turn this off to prevent others from tagging or mentioning them in videos and comments. How to Reproduce Go to TikTok privacy settings and disable tags and mentions Switch to a different TikTok account Try to tag or mention the user who disabled the setting The tag/mention goes through successfully The setting exists in the UI and appears to work, but the backend completely ignores it. Every attempt to tag or mention someone with this disabled still works. Company Response TikTok acknowledged the issue after I reported it and pushed a fix. The setting now properly blocks tags and mentions when disabled.

Affected Feature ChatGPT's message cap enforcement for GPT-4o users. OpenAI limits how many messages you can send with GPT-4o in a session to manage costs and resources. How to Reproduce Use GPT-4o until you hit the message limit Instead of starting a new chat, click "Share Chat" and copy the link Paste the link back into ChatGPT and send it Click the link and select "Continue this conversation" Send another message - it goes through even though you hit the cap Repeat to keep sending messages beyond the limit The model switches to GPT-3.5 for the extra messages, but you keep the full conversation context and bypass the intended limit. Company Response Reported to OpenAI via Bugcrowd. They confirmed the issue but marked it as a duplicate since another researcher had already reported it. No bounty, but they acknowledged the finding.

Affected Feature OpenAI's "Log out of all sessions" feature. This is supposed to sign you out from every device where you're logged in - web, mobile, everything. How to Reproduce Log into OpenAI on desktop browser and mobile app with the same account On desktop, click "Log out of all sessions" in account settings Wait about 30 minutes Open the mobile app You're still logged in - no re-authentication required Even force-closing and reopening the app doesn't trigger a logout The web session ends properly, but the mobile app session stays active even though you explicitly logged out everywhere. Company Response Reported via Bugcrowd. Marked as duplicate since another researcher found it first, but OpenAI confirmed and fixed the issue as of June 4, 2025.

Affected Feature Snapchat Web's notification system. When logged into Snapchat on a browser, you get notifications for incoming snaps and video calls. How to Reproduce Log into Snapchat Web on Chrome Change your Snapchat password from the mobile app (this forces logout on all sessions) Verify the web session logged out properly Notifications for snaps and video calls still keep coming to the browser Even though the session is terminated, the notification channel stays active. I recorded a video showing notifications arriving in real-time on a logged-out session. Company Response Reported through Snapchat's bug bounty program. Initially marked "Informative" because they thought it required physical access and wasn't a real threat. I pushed back explaining users expect full logout means no notifications either. They eventually agreed and fixed it - notifications now properly stop when you log out of Snapchat Web.

Affected Feature LinkedIn mobile app's app lock feature. This requires password or biometric authentication whenever you reopen the app to protect your data. How to Reproduce Open LinkedIn mobile app with app lock enabled Click any link inside the app that opens externally in Chrome (like a profile link) Browse in Chrome for a bit Switch back to LinkedIn The app lock doesn't trigger - you have full access for up to a minute without any authentication The delay gives you a window where the app stays unlocked even though it should require immediate re-authentication. Company Response Reported to LinkedIn but marked as duplicate.

Affected Feature Perplexity AI's conversational response system across both Chrome extension and mobile app. When users ask comparative questions about Perplexity itself, the system should respond from its own identity as a search engine. How to Reproduce Open Perplexity AI (Chrome extension or mobile app) Ask: "Are you better than Google?" The response compares ChatGPT to Google instead of Perplexity to Google Perplexity acts like it's ChatGPT, completely ignoring its own identity as a search engine Same bug happened on both the extension and app - identical confused responses about ChatGPT vs Google. Impact This is a product logic bug that creates an identity crisis. Users asking about Perplexity get answers about ChatGPT, making them think Perplexity is just a ChatGPT wrapper instead of its own search engine. The LLM powering Perplexity couldn't recognize that "you" in the question meant Perplexity itself. It associated "better than Google...