YoKo Kho

Category: Bug Report

Collection of Bug Hunting Activity

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

How I Finally could Got into an Internal Network (and could accessing all of their internal assets) at One of the Biggest ICT company in the...

February 19, 2020

Bug Report / Desktop Apps / Write-Up

5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)

CVE-2019–18653 & CVE-2019–18654: The story when Reflected XSS was triggering from SSID Name (It also affected AVG AntiVirus since basically the code of the those products...

October 29, 2019

Bug Report / Mobile Apps / Write-Up

CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)

The story while you download a file that looks “legitimate” with its extension, but it changes when you execute the file. In the name of Allah, the...

October 26, 2019

Bug Report / Web Apps / Write-Up

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

In the name of Allah, the Most Gracious, the Most Merciful. – Part I from (hopefully) IV Parts – Update I: Added a “Reference” Section. Update...

September 14, 2019

Bug Report / Desktop Apps / Random Things

Adobe Photoshop CC 2019 v. 20.0.0 (for OS X) Expired Subscription Bypass – Bypass Trial Expired

In the name of Allah, the Most Gracious, the Most Merciful. Description: The expired subscription pop-up could be bypassed by opening the .pdf document at the...

January 2, 2019

Bug Report / Web Apps / Write-Up

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] IDOR...

April 17, 2018

Bug Report / Web Apps / Write-Up

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release in simple:[English Version] Ribose — IDOR...

April 16, 2018

Bug Report / Web Apps / Write-Up

Bypassing the Current Password Protection at PayPal Tech-Support

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release (December, 2017 Article):[English Version]...

December 26, 2017

Bug Report / Web Apps / Write-Up

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal – Information...

December 26, 2017

Bug Report / Web Apps / Write-Up

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

In the name of Allah, the Most Gracious, the Most Merciful. Please kindly visit this simple paper directly to looking this release:[English Version] PayPal — Turning Self-XSS into...

November 12, 2017

Latest Tweets

YoKo Kho @YoKoAcc·

May 24, 2020

تقبل الله منا و منكم. آمين

May Allah accept [good deeds] from you and us.

Eid Mubarak, 1 Syawal 1441H.

---

(Pic from Starline - http://Freepik.com)

Twitter 1264421551262162944

YoKo Kho @YoKoAcc·

May 13, 2020

Last 10 days of Ramadhan.

عَنْ عَائِشَةَ أَنَّهَا قَالَتْ
يَا رَسُولَ اللَّهِ أَرَأَيْتَ إِنْ وَافَقْتُ لَيْلَةَ الْقَدْرِ مَا أَدْعُو قَالَ تَقُولِينَ اللَّهُمَّ إِنَّكَ عَفُوٌّ تُحِبُّ الْعَفْوَ فَاعْفُ عَنِّي

(Ibnu Majah #3850, Tirmidzi #3513).

Twitter 1260449002727800832

Retweet on Twitter YoKo Kho Retweeted

وزارة الحج والعمرة@HajMinistry·

April 27, 2020

بإذن الله، ثم بقيادة حكومتنا الرشيدة، والتزامنا نحن بالإجراءات والتعليمات الصادرة من الجهات المختصة ستعود مكة ويُفتح الحرم وتعود زيارة مسجد رسول الله ﷺ للناس من شتى بقاع الأرض ... مشاعر المسلمين معنا وتدعمنا من كل مكان ⁧#كلنا_مسؤول

Twitter 1254893197098209281

YoKo Kho @YoKoAcc·

April 23, 2020

Ramadhan Mubaarok.....

Twitter 1253458395106963458

Retweet on Twitter YoKo Kho Retweeted

Null Byte @NullByte·

April 23, 2020

It's easy to determine where a rogue AP might be hidden or who might be joining a Wi-Fi network without permission. https://null-byte.wonderhowto.com/how-to/hunt-down-wi-fi-devices-with-directional-antenna-0202696/

Twitter 1253145570270687238

Category: Bug Report

From Recon to Optimizing RCE Results – Simple Story with One of the Biggest ICT Company in the World

5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)

CVE-2019–18624 – Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO)

Race Condition that could Result to RCE – (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3)

Adobe Photoshop CC 2019 v. 20.0.0 (for OS X) Expired Subscription Bypass – Bypass Trial Expired

IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks

Ribose – IDOR with Simple CSRF Bypass – Unrestricted Changes and Deletion to other Photo Profile

Bypassing the Current Password Protection at PayPal Tech-Support

Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork – 1,000 USD

Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal”

Search

Recent Posts

Categories

Latest Tweets