http://blog.fa.nta.sy/tags/web/ Recent content in Web on Investigations by 0xFantasy Hugo en-us Thu, 28 May 2026 19:34:33 -0400 http://blog.fa.nta.sy/posts/2026-05-28-google-redirects/ Thu, 28 May 2026 19:34:33 -0400 http://blog.fa.nta.sy/posts/2026-05-28-google-redirects/ Google has a multitude of open redirects that are frequently abused by threat actors. They are used to both deter initial URL scanning and obfuscate the final phishing URL. A recent example of this in the wild found by KnowBe4 showcased combining multiple redirects in a row. Google seemingly has no interest in fixing these issues according to their VRP. These redirects span different Google domains and products including Search, Meet and Ads (formerly DoubleClick). http://blog.fa.nta.sy/posts/2026-05-20-trump-mobile-god-mode/ Wed, 20 May 2026 11:16:29 -0400 http://blog.fa.nta.sy/posts/2026-05-20-trump-mobile-god-mode/ For an indeterminate amount of time, the Trump Mobile API had at least two unprotected endpoints that could be exploited for either a) mass general info disclosure or b) targeted and enumerable info disclosure including plain text passwords; full PII including name, address, and email; and unique mobile device identifiers inlcuding IMEI and ICCID. http://blog.fa.nta.sy/posts/2026-04-13-not-a-cloudflare-bypass/ Mon, 13 Apr 2026 16:05:35 -0400 http://blog.fa.nta.sy/posts/2026-04-13-not-a-cloudflare-bypass/ Through my daily work and from reading quite a few blog posts, researchers consistently mistake that a phishing kit is leveraging /cdn-cgi/phish-bypass to hinder web and security scanners. This stems from a misunderstanding of what the Cloudflare /cdn-cgi/ endpoint is and how it operates.