LASCON 2024

In this talk, we will explore real-world security flaws uncovered in various mobile, web, VPN, and cloud applications through public penetration testing reports. These vulnerabilities, often found in widely used or highly sensitive applications, showcase how even the most security-conscious projects can expose critical risks when overlooked. We'll dive into technical examples, including those found in mobile apps like LeaveHomeSafe, a COVID-19 contact tracing app mandated in Hong Kong, highlighting how personal data protection can be undermined by security oversights.

Additionally, we will cover vulnerabilities from open-source projects designed to protect individuals in regions with restrictive internet access, such as China, Iran, and Russia. These applications, aimed at securing communications for at-risk users, demonstrate the complexities of balancing usability and security under hostile conditions, and the real risks posed when vulnerabilities are left unchecked.

The session will feature detailed analysis and attack scenarios, providing insights into how these vulnerabilities were identified, exploited, and the lessons learned from public security reports. Whether you're a developer, pentester, or just interested in cybersecurity, this talk will shed light on the importance of transparency and the value of learning from vulnerabilities disclosed in public reports