Note: The following article was published on 16/01/2017 on


As promised in the last case-study, today we are going to see a very interesting case-study, with an interesting twist.

veryone seems to love jQuery. This awesome Javascript library is everywhere I look — dozens of thousands of companies use it in their website applications, and it is super convenient — especially when it comes to AJAX requests — importing jQuery makes our lives a whole lot easier.

A library of libraries

jQuery is not alone. Google and Microsoft (and sometimes Mozilla and Apple, Facebook and Twitter as well) release new JS libraries…

Note: The following article was published on 16/07/2019 on

oday’s case-study does not involve any vulnerability at all.
Yes — you heard me. No XSSes, no open redirects, no CSRFs or IDORs. Nothing. Nada.

We’ll only learn about a wrong implementation that was used by Tinder in order to integrate their users Instagram accounts on their platform.

While joking with (Ok, more like on) a friend about that the only way he’ll get a match on Tinder is if he’ll find a vulnerability for it, I have started to read about recent security vulnerabilities Tinder has suffered. So…

Note: The following article was published on 25/12/2016 on

appy Hanukkah and Marry Christmas to you all!

The end of the year is always a great time to wrap things up and set goals for the next year. And also to get super-drunk, of course.

In today’s holiday-special case-study we’ll examine a case where an attacker from one website can affect an entire other website, without accessing the second one at all. But before that, we need to talk a bit about Self XSS.

Basically, Self XSS is a stupid vulnerability. Usually, to be attacked, victims need to…

Note: The following article was published on 27/11/2016 on

credit: actionplusbb

Sorry for the no-new-posts-November, FogMarks has been very busy experiencing new fields and worlds. But now — we’re back on baby!

oday’s case-study is about an old incident (and by “old” I mean 3 months old), but due to recent developments in an active research of a very known company’s popular product, I want to present and explain the huge importance of having an Anti-IDOR mechanism in your application.


Basically, an IDOR (Insecure Direct Object Reference) allows an attacker to mess around with an object that does not belong…

Note: The following article was published on 13/09/2016 on

credit: Google Images

“Fences were made to be jumped over” — John Doe

you might have already guessed (or not), today’s case-study is all about open redirects, and bypassing mechanisms that were made to prevent them. Fun!

I have already shared with you my thoughts about open redirects and their consequences on the website’s general security.
Now it is the time to demonstrate how open redirects can be achieved by manipulating the AOR (Anti Open Redirects) mechanism.

A great example for a great AOR is again Facebook’s linkshim system. Its basically attaching…

Note: The following article was published on 09/08/2016 on

credit: Google Images

what way do you interact with private information of your users? I mean to information like their full name, email address, living address, phone number or any other kind of information that may be important to them, or information they’d rather keep private.

Today’s case-study talks just about that. Parental advisory: Parental advisory: Explicit content. Just kidding.

We will talk about the way private objects (and I’ll explain my interpretation of the term ‘objects’ later on) should be handled, and then we will see 2 neat examples from vulnerabilities…

Note: The following article was published on 24/07/2016 on
PoC video is at the bottom of this case-study.

King Ahaziah lies sick after having fallen through an upper Wellcome (credit: Wikimedia)

oday’s case-study will discuss the importance of having a Token Management Mechanism.
Every web application which supports users authentication will normally use a token for validating ‘critical’ actions users initiating do.

Facebook, for example, automatically adds a token at the end of any link a user provide, sometimes even to pages within Facebook. This mechanism is called ‘Linkshim’ and it is the primary reason why you rarely hear about Facebook open redirects, CSRFs or clickjacking vulnerabilities. Facebook’s method is pretty…

Note: The following article was published on 13/06/2016 on

few years ago, when FogMarks was not even a tiny idea or a vision in my head, I used to do casual programming jobs on Fiverr.

One of the jobs/gigs I was asked to do is to cause a user in site to be redirected to and then, without an action from his side, to be redirected to a site. I didn’t realize back then why would someone want that kind of thing. Why not just simply redirect the user directly to I asked the…

Note: The following article was published on 16/05/2016 on

fter reading some blog posts about Mozilla’s Addons websites, I was fascinated from this python-based platform and decided to focus on it.
The XSS vector led basically to nowhere. The folks at Mozilla did excellent job curing and properly sanitizing every user input.

This led me to change my direction and search for the most fun vulnerabilities — logic flaws.

The logic

Most people don’t know, but the fastest way to track logic-based security issues is to get into the mind of the author and to try and think from his…

Note: The following article was published on 03/04/2016 on

Sinking boat painting by Willy Stöwer

hen Facebook was just a tiny company with only a few members, it needed a way to get more members.

Today, when you want more visitors to your site, you advertise on Facebook, because everybody is there.

Back then, the main advertising options were manually post advertisements on popular websites (using Google, for instance), or getting your members invite their friends using their email account.

Facebook’s Past Invitation System

When a user joined Facebook at its early days, there was literally nothing to see. …

Shahar Albeck

Founder, Independent Security Researcher @

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store