homeblogresumecontact

blog

From One Tracking URL to Every DoorDash Customer's PII
Two unauthenticated bugs on DoorDash's Drive flow expose customer names, home addresses, sub-meter GPS, and dasher phone numbers. One was accepted by the vendor nine months ago and is still exploitable today.
June 2026Still liveCVSS 9.1 · P1
Reading Anyone's Private Meta AI Conversations — Without Authentication
The sendMessageStream GraphQL mutation on meta.ai doesn't check whether you own a conversation. One API call to read anyone's full chat history.
March 2026$5,000CVSS 7.5

© 2026 luke farchione