A blog about online security and privacy

On February 12, 2026, I responsibly disclosed an open redirect vulnerability in LimeSurvey, the popular open-source survey platform. The issue was patched and released in version 6.16.11+260303 on March 3, 2026. In application/controllers/EditorLinkController.php, the url GET parameter was passed directly into a redirect without any validation or sanitization. This meant that any unauthenticated user could…

Most people assume that using a VPN makes them anonymous online. Your real IP is hidden, your traffic is encrypted, and websites see the VPN server’s location instead of yours. We’ve already seen that this is not fully the case thanks to browser fingeprinting techniques such as the many that https://amiunique.org or the EFF can…

Last week I was doing some bug bounty hunting and stumbled upon what many websites seem to be having nowadays: an LLM-powered chatbot. I thought it would be really interesting to automate the testing of this chatbot and started looking for some tools, instead of having to manually copy-paste dozens of payloads and waiting for…

Yesterday Joomla published version 3.6.4, an update to patch security issues: Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file. Press enter or click to view image in full size Turns out…