Hall of Fame

Critical misconfiguration in Firebase security rules enabled recursive unauthenticated CRUD access to the entire production database. This vulnerability provided a direct path to exfiltrate patient health records, administrator credentials, and sensitive internal metadata.

A failure in the hospital query endpoint permitted bulk retrieval of Personal Identifiable Information (PII). By exploiting missing rate-limiting and weak object scoping, over 100,000 sensitive records were accessible via simple automated scripts.

Direct write permissions on sensitive user fields allowed for a financial logic bypass. An attacker could elevate their own subscription tier to 'Premium' by manually modifying database flags, completely bypassing the Stripe payment integration.

Patient appointment logs were indexed using MD5-hashed email addresses. Since email addresses are discoverable, this predictable resource naming allowed for targeted IDOR attacks to view private medical consultation details.

Mapped and disclosed a complex fraud network operating through Meta's advertising platform. The network leveraged compromised UPI IDs and automated bot-campaigns to conduct financial phishing. Evidence submitted to CERT-In for infrastructure takedown.

Discovery of a critical authentication flaw in the institutional student feedback system. By manipulating numerical document identifiers, students could view, edit, or delete feedback entries belonging to any other user.