Home
Remote Privilege Escalation
1. Attack Amazon Appstore through Amazon Shopping (unauthorized app install)
2. Attack Facebook Messenger (stealthy messaging)
3. Attack Baidu mobile assistant (over 100 million users) & Running the infected WebView in the background (monitor the loudness of voice and the gyroscope data and install malwares without user confirmation)
Remote Deep Phishing
4. Display Phishing UI in Twitter (steal Twitter account credentials)
5. Let Facebook actively invite Twitter to display Phishing UI (steal Facebook account credentials)
6. Use PicsArt to hijack Facebook's task and display Phishing UI (steal Facebook account credentials)
To avoid exposing our identities, here we selectively post some responses from the vendors. We are working aggressively with all the vendors involved in confirmed attacks, doing our best to help them fix their design flaws.
Facebook and Twitter have confirmed our findings. Facebook will award us $9,500 ($7,500+$2,000) and Twitter will award us $1,120, which is an evidence of XAWI’s high impacts.