I spoofed access to other people’s email in order to pre-steal user accounts before they are first registered. Here’s how I did it.

Photo by Markus Winkler on Unsplash

One thing I always test while hacking on bug bounty programs is how applications generate tokens. Tokens are used for things such as password resets, email address verification, one-click sign-in, etc.

While hacking on one private program I discovered an application with a weak algorithm for generating email verification tokens. This is how I approached the problem and how I found a way to generate valid tokens to verify ownership of any email address, even those I…


I found an API that exposed encrypted credit card numbers. Here’s how I cracked them to reveal the full card details.

Photo by Avery Evans on Unsplash

While hacking on a private bug bounty program, I found a graphql endpoint that exposed way more information about logged in users than it should have done. By playing with the ‘about me’ graphql API request I was able to guess and retrieve all the logged-in user’s stored values present in the database, not just those disclosed by the web app.

Using these guessed parameters, I was able to retrieve all credit cards added to a user’s account. This…


“We’ve sent a six-digit code to your email address. Enter it below to login.”

Photo by Alvin Lenin on Unsplash

We see them all the time while testing web applications. In order to verify your identity, the application sends a 6 digit numerical code to your registered email address or phone number. The purpose is to prove that the person performing the action is also in possession of the phone or mailbox attached to it. No access, no authorisation. It’s a useful second factor to apply a little extra security to a process.

If you try to guess the code it expires after 5 or so…


Free and open proxy servers promise anonymous internet access, but at what cost?

Never trust an open proxy server
Never trust an open proxy server
Photo by Mikael Seegen on Unsplash

In a world of ever-decreasing online privacy, it’s easy to get sucked into the ‘use an anonymous proxy to stay safe’ narrative. I’ve got nothing against using reputable proxy services or VPNs (virtual private networks), but the ‘free’ proxy services you find on the web can be anything but.

What’s the Difference Between a Proxy and a VPN?

People use proxies and VPNs (Virtual Private Networks) to hide their real IP address and masquerade as other devices on the internet. There are many reasons to do this including bypassing content geo-restrictions, bypassing government filters ( Great…


Evading detection and building trust with Captcha challenges and Smishing attacks.

The latest SMS Phishing message I’ve received from not-my-real phone company

This week I received another SMS Phishing attack which was almost identical to the previous Smishing attack I covered. There were two things that struck me as particularly interesting this time:

  1. The attack used the s.id Indonesian link shortening service
  2. The attack used a Captcha page to limit access to the phishing page to real people only

Thinking about the first point, it’s clear that s.id, the “World’s shortest URL shortener”, has been chosen to minimise the size of the links in the phishing text message. …


How hackers manually escalated from a malicious email to a devastating, company-wide ransomware takeover in under 5 hours.

Photo by Pixabay from Pexels

(This article aims to contextualize an excellent incident report by Thedfirreport.com. I’ve used my own experience to fill in the gaps to demonstrate how these attacks affect real people in real companies.)

The Attack Started Like Many Others

A phishing email landed in the victim's inbox at around 5 pm UTC and was promptly opened and read. There was nothing particularly suspicious about it. It was a well-written email with a reasonable call to action. There were no urgent demands. It wasn’t claiming to be from the company…


Every image you post online leaks information about you. This is how anyone can find your location using Open Source Intelligence (OSINT).

Let’s find the exact location of this photograph together.

Open Source Intelligence In Action — Geolocating a Photograph

Open Source Intelligence (OSINT) is the practice of using public or ‘open source’ information available on the internet to gather intelligence and gain insights on given targets. By combining public data sources you can find answers to a variety of questions that most people wouldn’t think is possible.

For example, the sunset photo above is one I took a couple of years ago while travelling for work. It’s not an instantly recognisable location. It’s probably not even that…


I got hit by a devastating worm that spread through phishing. This is how it worked and what I learned from it.

Photo by Miguel Á. Padriñán from Pexels

A long time ago in a world without Multi-Factor Authentication…

The first report came in shortly after 10 am. A user had fallen victim to a phishing attack. Their account was spamming out an unusual amount of email, triggering an alert. Another day, another attack.

The response team hit the big red ‘account breached’ button, locking the compromised account down, then we started to investigate. We were looking for the root cause of the compromise and any damage…


Hacking and defending user accounts
Hacking and defending user accounts
Photo by Andrea Piacquadio from Pexels

User accounts are still the number one target for hackers today. The reason for this is that with a legitimate user account you can access, control, and change all of the information available to that user. To achieve this level of control through a software vulnerability can be incredibly difficult, if not impossible. Yet, with the right username and password, you can do all sorts of incredible things that you shouldn’t. When used as intended, user accounts are very valuable. When used by criminals they are incredibly powerful and dangerous. …


We create and use user accounts without thinking about it, but how do they actually work and how do they keep our things secure?

What is a user account and how do they keep things secure?
What is a user account and how do they keep things secure?
Photo by Micah Williams on Unsplash

A user account is a digital identity used by a person or piece of software. The identity allows us to associate things in the digital world with a real person or a specific application. In an ideal world, a user account will only ever be used by one person or one instance of a software application. Unfortunately, that isn’t always the case. (More on this later).

How Do User Accounts Work?

Identity and Access Management (IAM) is a framework of processes…

Craig Hays

Aspiring writer, Cybersecurity Architect, Bug Bounty Hunter, Musician, Movie Producer, Failed Skydiver. https://craighays.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store