blog
From One Tracking URL to Every DoorDash Customer's PII
Two unauthenticated bugs on DoorDash's Drive flow expose customer names, home addresses, sub-meter GPS, and dasher phone numbers. One was accepted by the vendor nine months ago and is still exploitable today.
Reading Anyone's Private Meta AI Conversations — Without Authentication
The sendMessageStream GraphQL mutation on meta.ai doesn't check whether you own a conversation. One API call to read anyone's full chat history.