From a Sanitized Name Field to One-Click Account Takeover

Some weeks ago, I was testing a mature and heavily audited application from a bug bounty program. Since I had previously found several interesting client-side vulnerabilities in that target, I deci...

May 25, 2026 Security, Bug-Bounty, Web-Security

Deanonymizing Users at Scale: When Blocking Becomes an Oracle

In this post I will show how, by combining two regular features, it was possible to figure out the phone number of almost any user on a large social media platform with millions of users. Context:...

Nov 18, 2025 Security, Bug-Bounty, Web-Security

A University Web Audit

During my final degree project, I audited several web applications from my university, the Universidad Politécnica de Madrid, and identified hundreds of vulnerabilities, many of which had a critica...

Oct 6, 2025 Security, Web-Security

Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover

Recently, while auditing the main application of a private bug bounty program, I discovered a Client-Side Path Traversal (CSPT) and a Cache Deception vulnerability. Individually, these issues were ...

Aug 18, 2025 Security, Bug-Bounty, Web-Security

From a Sanitized Name Field to One-Click Account Takeover

Deanonymizing Users at Scale: When Blocking Becomes an Oracle

A University Web Audit

Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover

Trending Tags