Episode 110: In this episode of Critical Thinking - Bug Bounty Podcast we hit some quick news items including a DOMPurify 3.2.3 Bypass, O3 mini updates, and a cool postLogger Chrome Extension. Then, we hone in on OAuth vulnerabilities, API keys, and innovative techniques hackers use to exploit these systems.
Follow us on twitter at: https://x.com/ctbbpodcast
Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to https://x.com/realytcracker for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater and Rez0 on Twitter:
https://x.com/Rhynorater
https://x.com/rez0__
====== Ways to Support CTBBPodcast ======
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
You can also find some hacker swag at https://ctbb.show/merch!
====== Resources ======
DOMPurify 3.2.3 Bypass
https://ensy.zip/posts/dompurify-323-bypass/
Jason Zhou's post about O3 mini
https://x.com/jasonzhou1993/status/1886397963012132902
Live Chat Blog #2: Cisco Webex Connect
https://www.ophionsecurity.com/post/cisco-webex-connect-vulnerability-unauthenticated-access-to-all-chats
postLogger Chrome Extension
https://x.com/ndevtk/status/1858412811019502040
Webstore Link
https://chromewebstore.google.com/detail/postlogger/aodfhblfhpcdadgcnpkfibjgjdoenoja
Common OAuth Vulnerabilities
https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html
nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover
https://www.descope.com/blog/post/noauth
Account Takeover using SSO Logins
https://rikeshbaniya.medium.com/account-takeover-using-sso-logins-fa35f28a358b
Kai Greshake
https://x.com/kgreshake?lang=en
====== Timestamps ======
(00:00:00) Introduction
(00:01:44) DOMPurify 3.2.3 Bypass
(00:06:37) O3 mini
(00:10:29) Ophion Security: Cisco Webex Connect
(00:15:54) Discord Community News
(00:19:12) postLogger Chrome Extension
(00:21:04) Common OAuth Vulnerabilities & Lessons learned from Google’s APIs
