Archive - h0wl's blog

SolChat Messages Insecure Encryption Method

The SolChat app stored its encryption key and implemented symmetric encryption logic client-side. This means anyone could decrypt every message sent and…

Mar 3 •

October 2023

New Bitcoin City Stored Cross-Site Scripting (XSS) in Mentions

Another stored XSS vulnerability in NBC that could result in draining user wallets, performing unauthorised transactions with the possibility to spread…

Oct 31, 2023 •

New Bitcoin City bypassing the top 100 restriction to post images

New Bitcoin City SocialFi app allows to make public posts but images can be uploaded only by the top 100 users, at least in theory.

Oct 14, 2023 •

September 2023

Wormable Stored Cross-Site Scripting (XSS) in Alpha (New Bitcoin City)

A vulnerability in Alpha SocialFi app existed that could result in draining user wallets, performing unauthorised transactions with the possibility to…

Sep 25, 2023 •

August 2023

Chat Room Messages Leak on Friend.tech

Accessing the most recent message sent to each of the chat rooms a particular user is part of is open to anyone. Ownership of shares or even an account…

Aug 21, 2023 •

January 2023

The importance of Web UI security in decentralised applications

Abusing front-end to trick users into performing unintended interactions with the smart contract

Jan 25, 2023 •

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts