Image for post
Image for post
Hi, I’m Duo the owl!

This is my first public disclosure of bugs I’ve discovered in the wild. I’ll just preface this entire article by stating that these are not security vulnerabilities, simply logic errors.

The main aim of this article is less on sharing how these logic errors can be exploited and more on emphasizing the curious discovery that: sometimes applications leverage two separate APIs, for whatever reason and, in doing so, this allows for the introduction of interesting bugs (i.e. this presents a larger attack surface due to the need for securing two independent services instead of just one).

This report is about Duolingo, one of my favorite applications for learning new languages. …


Jon Roethke

information security, blockchain, travel, surf

Get the Medium app