Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Several of the Binance shortlinks were being routed through a third-party application called AppsFlyer OneLink. What if these shortlinks could be hijacked? It would send user to bad locations or even download the wrong application entirely.

The OneLink platform is used for ads and click analytics. With their platform, you create a subdomain for your site and use it on their domain. The initial attack vector was to simple takeover the subdomain for Binance, such as a subdomain takeover. However, this did not turn up any fruit.

What if we could update the link itself? It turns out, that the validation for the links was NOT being done properly. When writing out a longUrl for the link shortener, it only validated the link ID in the URL with a literal string check. If this ID was owned by you, it was fine to edit.

With URLs though, we can traverse back with ../ but still have the auth check happen on our ID. This resulted in the ability to change the redirect location of any link on the site! With the ability to change URL shortners, we can do some serious damage.

The article was removed from the web (sadly). But, this link has a cached version on the Wayback machine. Once you publish something, it is on the internet whether you like it or not.