Blog

Writing & thinking.

Long-form thoughts on engineering, architecture, and the craft of building software.

March 19, 2026|7 min read

How I Stole WhatsApp Access Tokens and Exploited Facebook's GraphQL IDOR

A deep dive into chaining a malicious Chrome extension with a GraphQL IDOR to exfiltrate access tokens and access internal Facebook APIs

#security#bug-bounty#graphql#whatsapp#chrome-extension#idor#token-theft

March 18, 2026|6 min read

CVE-2026-3909: From Crash to Compromise - Part 1

A deep dive into CVE-2026-3909 - a critical out-of-bounds write in Chrome's Skia library. Part 1 demonstrates the crash PoC, simulates payload delivery, and shows how to safely test in an isolated lab.

#browser security#cve-2026-3909#chrome#skia#exploit development#vulnerability research#cybersecurity#proof-of-concept#heap corruption#defensive security