2d ago · 3 min read · The Discovery The platform offered newly registered users a welcome voucher that could be redeemed for credit. At first glance, the implementation appeared secure. Manually modifying the visible vouch
Join discussion
May 5 · 11 min read · I wanted to re-open an old Binance API security issue. Not because I enjoy re-litigating old reports. Because the last thirteen days made the threat model painfully concrete. I found or stumbled into
LLaura commented
Apr 26 · 6 min read · The harmless profile endpoint that taught me how real bugs work Early in my bug bounty journey, I found a bug that looked simple from the outside, but it changed the way I think about web security. At
Join discussion
Apr 20 · 10 min read · A case study on how Binance's listenKey design bypasses IP whitelisting, why Bugcrowd dismissed it, and what this teaches us about API security in 2025. Update (2026-04-20): This article was original
Join discussion
Apr 20 · 6 min read · A system can use OAuth. It can issue signed tokens. It can even validate them correctly. And still get breached. Why? Because security doesn’t fail at authentication — it fails at trust boundaries. Mo
Join discussion
Apr 19 · 3 min read · Introduction API security is a critical aspect of modern applications. One of the most common and severe issues is improper authorization, often categorized under Broken Object Level Authorization (BO
Join discussionApr 18 · 8 min read · The bill arrived at 9:47 AM on a Tuesday. Thirteen hours of compute time. $54,385.87 in Gemini API charges. The developer who received it had been asleep for most of the attack. \n\nWhat happened next wasn't the standard ritual of cloud billing horro...
Join discussion
