Pod Point exposes customer data

This post will describe how I discovered a security flaw in Pod Point’s mobile app API endpoints. It covers bypassing certificate pinning with Frida, and demonstrate how attackers can steal full names, addresses, charging history, and more by simply having a registered account that anyone can obtain. Pod Point Pod Point is a UK based company established in 2009 that provides electric vehicle charging equipment to both businesses and individuals. It also operates what’s called the “Pod Point Network” where customers can use charge points across the country with a mobile app....

20 November, 2021 · 8 min · Naz Markuta

pfSense and IPv6 on HyperOptic

I recently decided to improve my home network by purchasing a pfSense box. I wanted to ditch my ISP issued router, a Tilgin HG2381 router which works well for simple networks but fails to offer advanced configuration options, like support for wireguard VPN or VLANs. HyperOptic HyperOptic is a UK broadband provider which supports both IPv4 and IPv6 address assignment. For IPv4 addresses they use Carrier-grade NAT (CGN) which doesn’t allow exposing a service using port forwarding....

7 November, 2021 · 4 min · Naz Markuta

Frida and MagiskHide

Tl;dr - two ways on spawning processes with Frida while Magiskhide is enabled. For mobile app analysis, using a rooted device with Magisk and Frida has become my bread and butter. I’m aware that emulators exist (which I also use) but solutions, such as Android Studio or Genymotion fail to offer the same level of performance as a physical device. I use a second-hand Google Pixel 3a bought on Amazon for most of my testing....

19 September, 2021 · 3 min · Naz Markuta

Hugo Site on Cloudflare Pages

Update (25/11/21) added a section on Page Rules. For markuta.com I now use Hugo with a theme called PaperMod. Github is still used storage on a private repository (Github pages doesn’t allow private repos for free accounts). And Cloudflare Pages is linked to Github to deploy the website. Requirements To get started you need the following: Hugo and Git software Github account (free) Cloudflare account (free) Domain name (not required but nice to have) Install Software You need to make sure Hugo and Git are installed....

27 August, 2021 · 6 min · Naz Markuta

Bitwarden and Nginx Server on Raspberry Pi

In this blog post I’ll be covering how to install a self hosted Bitwarden server as a password management solution using Docker on a Raspberry Pi. We will get two containers running (Bitwarden server) and (Nginx reverse proxy). I’ll also go into hardening the Bitwarden configuration and applying 2FA for log-ins. What is Bitwarden? Bitwarden is an open-source password management solution. It supports almost all major systems. The version we’re going to be using is the unofficial one created by Daniel Garcia, Github page: https://github....

25 October, 2020 · 7 min · Naz Markuta