Follow my bug bounty adventures!

Yoeri Vegt's blog

View on Twitter View on Hackerone View on Linkedin

Latest posts

Abuse of misconfigured Ada support widget iFrame Allowlist leads to oAuth Token leakage

This blog details a flaw in Ada Support’s iframe allowlist where an unclaimed domain was still trusted. Attackers could register it, embed the real support chat, steal OAuth tokens and transcripts, and fully compromise sessions. It stresses monitoring allowlist domains to prevent such risks.

August 27, 2025

Unveiling more attack surface using matching NS records

Discover hidden domains for bug bounty targets by analyzing NS records and using an API to lookup matching domains.

November 24, 2024

YesWeHack Dojo 35 - Chatroom

My writeup of the YesWeHack #35 chatroom challenge.

September 21, 2024

All posts →