Latest Posts

Crafting Malicious Facebook Ads via Instant Experiences

Crafting Malicious Facebook Ads via Instant Experiences

Ashley King 17 Jul 2025 Meta

Everyone who uses Facebook has seen them: slick, fast-loading ads that open up into a full-screen experience without ever leaving the app. These are...

Read More
XSS to RCE - Xbox Device Portal

XSS to RCE - Xbox Device Portal

Crafted By Gemini 2.5 25 May 2025 Microsoft

The Xbox Device Portal is an invaluable tool for developers, offering remote access to an Xbox console in developer mode via a web browser. It allows...

Read More
Bountycon 2022 - Android Trinity PWN

Bountycon 2022 - Android Trinity PWN

Ashley King 06 Jul 2022 Meta

Whilst working on the BountyCon 2022 CTF, I spent the majority of the time focusing on the Android Trinity challenge. This was one of two PWN...

Read More
Disclosing BCC Recipients of an email

Disclosing BCC Recipients of an email

Ashley King 30 Mar 2022 HackerOne

This post will cover an interesting logic flaw found in a private bug bounty program. Whilst the name of this company will be known as...

Read More
Abusing Facebooks Call To Action to launch internal deeplinks

Abusing Facebooks Call To Action to launch internal deeplinks

Ashley King 02 Feb 2022 Meta

Ever noticed that big blue button on the top of every Facebook page? This feature, known as Call to action or CTA is designed for user...

Read More
Open redirects are not dead! Or are they?

Open redirects are not dead! Or are they?

Ashley King 20 Jan 2022 Meta

Over the last few years doing bug bounties, it's becoming more and more common for companies to reject reports about Open Redirects. Once upon a...

Read More