Category: Vulnerability Management

Technical Report The findings contained within this report were responsibly disclosed to the developer who resolved the issues and approved of its dissemination. Request When submitting a password change, the following POST request was intercepted via Burp Suite proxy: In addition to a variety of HTTP headers, cookies, and session ID, there are four fields submitted in the body of the POST request: whatpulse_token…

Background I have been using WhatPulse for over 17 years. WhatPulse, first released in 2003, is a client capable of tracking computer usage data for personal analytics purposes. For example, it can generate a heatmap of the most frequently typed letters, most frequently clicked screen location, or how far your mouse cursor has traveled over time. Michael from Vsauce included WhatPulse in one of…