Hacked & Secured: Pentest Exploits & Mitigations

Ep. 12 – Timing Attacks & Mobile OAuth Hijack: When Microseconds and Misflows Betray You

Amin Malekpour Season 1 Episode 12

A few microseconds. One silent browser session. That’s all it took for attackers to break into systems without tripping a single alert.

In this episode of Hacked & Secured: Pentest Exploits & Mitigations, we explore two subtle but devastating flaws:

🔹 Timing Attacks for Token Leaks – By measuring microsecond delays, attackers were able to recover secrets, without seeing them in responses.

🔹 OAuth Hijack via Mobile App Flows – A crafted app abused in-app browser sessions and custom URL schemes to silently steal valid login tokens from users on iOS.

These aren’t theoretical bugs—they were found in the wild and affect real apps. If you build or test auth systems, this episode is for you.

Chapters:

00:00 - INTRO

01:11 - FINDING #1 - Timing Leaks That Speak Volumes

06:56 - FINDING #2 - Hijacking Mobile OAuth with One Silent Redirect

13:06 - OUTRO

Want your pentest discovery featured? Submit your creative findings through the Google Form in the episode description, and we might showcase your finding in an upcoming episode!

🌍 Follow & Connect → LinkedIn, YouTube, Twitter, Instagram
📩 Submit Your Pentest Findings → https://forms.gle/7pPwjdaWnGYpQcA6A
📧 Feedback? Email Us podcast@quailu.com.au
🔗 Podcast Website → Website Link

People on this episode