A vulnerability involving the handling of session tokens in a yet-to-be-named target API endpoint has been discovered by ethical hacker Ehteshamul Haq.
Haq, who works for an advertising company, found that the API endpoint was vulnerable to brute-force attacks and unauthorised access, which could lead to session hijacking.
The vulnerability lay in the way the session tokens were generated, which failed to follow best practices as they were predictable, short, and unprotected.
Haq reported the vulnerability to the company, which has now been fixed.
This case exemplifies how lax session management can pose a significant security issue and highlight the need for effective cybersecurity practices.