Posts tagged ‘waf-bypass’

Half a Billion Profiles Behind a User-Agent String

A major platform's API returned full user profiles to anyone who asked. The only barrier was a WAF that ignored mobile traffic. One header change, hundreds of millions of accounts exposed.