During a recent security assessment, Cylent's AI-assisted penetration testing platform identified a critical client-side vulnerability that enables complete account takeover through endpoint manipulation. This sophisticated attack vector allows malicious actors to redirect all API traffic to attacker-controlled servers, capturing credentials, session tokens, and sensitive user data. The Discovery:
As companies rush to enhance their cloud-based analytics platforms with advanced features, even well-intentioned design choices can create dangerous blind spots. During a Cylent Security penetration test on a leading analytics provider, we uncovered a critical issue where a Python code execution feature—combined with a cloud misconfiguration—led to
As organizations embrace OAuth2 for user authentication, design oversights in its implementation are creating new account takeover risks. While OAuth simplifies login, insecure integration can open the door to full compromise of user accounts. In this post, we’ll cover two real-world vulnerabilities we identified during penetration tests. Both flaws
As AI-powered features become embedded into modern applications, their reliance on external data sources introduces new attack surfaces. One of the fastest-growing threats is Indirect Prompt Injection—a technique where attackers manipulate inputs that an AI system later consumes. During a recent penetration test of a data analytics SaaS platform,