Siddhartha Malla Thakuri

Overview A significant issue has been identified on Claude AI’s platform where users can bypass imposed usage rate limits on free-tier accounts by simply deleting their account and immediately re-registering using the same email address. This loophole effectively resets the usage counters, allowing unrestricted free access and enabling potential abuse of the platform’s resource allocation and monetization strategies. While this behavior does not directly compromise system security or user data confidentiality, it highlights a critical gap in business logic and platform design that could have severe financial and operational impacts if left unaddressed. Description of the Issue Claude AI enforces daily or monthly usage quotas for free-tier accounts to manage resource consumption and encourage paid upgrades. However, this enforcement currently ties limits only to active account sessions, without persistent tracking of user identities beyond account existence. Users who reach their...

Overview A significant security flaw has been identified in Instagram’s mobile app involving the multi-account creation feature and two-factor authentication (2FA) settings. This vulnerability silently enables SMS-based 2FA on a newly created Instagram account without any user confirmation or verification, by automatically linking a previously verified phone number from an existing account. This unexpected behavior undermines the fundamental security principle of explicit user consent and verification in 2FA setups, potentially exposing millions of users to unauthorized security configurations. Description of the Issue When a user who is logged into Account A with 2FA enabled via both phone and authenticator app creates a second account ( Account B ) using the same Gmail address within the same Instagram app session, the following occurs: Upon enabling 2FA via SMS on Account B, Instagram automatically activates it using the phone number verified for Account A . This happ...

Saturday, June 25, 2022 at 11:36 PM Switching between multiple Facebook Messenger Lite accounts on the same device should be straightforward — each account’s settings, including active status, are expected to be independent. But what if changing the active status on one account unexpectedly changes it for all others? During testing, I found a surprising privacy issue that affects multiple Messenger Lite users logged into the same device : toggling the active status (online/offline) on one account causes all other logged-in accounts’ active statuses to switch accordingly — without their knowledge or consent. How It Works Here’s the scenario: You log into User A on Messenger Lite and set your active status to OFF (invisible). Then, switch to User B on the same device. You’ll notice User B’s active status also turns OFF automatically — and you get notified about User A’s status change. Switching accounts repeatedly applies the same active status setting across all accounts ...

Managing social media pages and accounts often involves linking Instagram profiles with Facebook Pages using Creator Studio. This integration lets admins respond to Instagram DMs and comments directly from Facebook’s Creator Studio desktop interface, streamlining content management. But what if disconnecting your Facebook Page from an Instagram account didn’t actually sever access? The Unexpected Risk I discovered a critical privacy flaw involving Instagram accounts sold or transferred to new owners. Even after disconnecting a Facebook Page from an Instagram account in Creator Studio, I could still: View and receive new and old Instagram Direct Messages and comments from the Instagram account I had sold in 2022. Send replies and comments on behalf of that Instagram account, without the knowledge or consent of the new owner or Instagram admin. In other words, despite officially ending the connection, access to sensitive Instagram interactions remained open through Creator...

Facebook allows users to control who can see the number of likes on their posts. For those who prefer privacy, there’s an option to make likes visible only to themselves — a simple setting designed to keep that engagement private. But here’s the catch: despite this privacy setting, a surprising loophole exists. Likes that are hidden on the post itself can still be viewed by others through the Reels feature . This inconsistency creates an unintended privacy gap, potentially exposing user engagement data that was meant to stay private. What’s Happening? Users who choose “Only Me” for like visibility expect that no one else can see their like counts on posts. While Facebook respects this setting on the main post, the same setting is not enforced in Reels. When others view the Reel related to the post, they can see the total likes — completely bypassing the user’s privacy preferences. Why This Is a Problem Privacy settings are fundamental to user trust. If a user takes the time to hi...

Two-factor authentication (2FA) is supposed to be a cornerstone of digital security. It’s that extra lock on the door — a way to prove you’re really you, not just someone with your password. But what happens if that lock can be turned on silently, without your knowledge? While testing Instagram’s multi-account feature on their mobile app, I discovered a surprising and concerning flaw: when creating a second Instagram account using the same Gmail address within the app, the system automatically enables SMS-based 2FA on the new account without any verification . Yes, you read that right — no SMS code, no confirmation, nothing. How This Happens Imagine you’re logged into Instagram Account A, which already has two-factor authentication enabled with your verified phone number. From there, you use Instagram’s “Add Account” → “Create New Account” option and register a second account, Account B, with the same Gmail . When you try to enable 2FA via text message on Account B, Instagram doesn’...

A couple of years ago, I discovered a significant privacy issue on TikTok related to the tagging and mention settings. At that time, TikTok allowed users to turn off tagging and mentions in their privacy settings — a key control designed to give users more control over their interactions. However, despite these settings being turned off, it was still possible to tag or mention users. This meant that users could receive unwanted mentions or tags even after explicitly disabling them. What Was the Issue? The problem boiled down to a simple business logic flaw: TikTok’s backend failed to properly enforce the “disable tagging/mention” setting. Mentions and tags were allowed regardless of user preferences. This violated users’ expectations of privacy and control on the platform. Why It Mattered For many users, privacy controls are critical. If someone chooses to disable mentions and tagging, they expect that choice to be respected to avoid harassment, spam, or unwanted atten...

🧠 Background While casually exploring the behavior of ChatGPT after hitting message limits in GPT-4o (OpenAI's paid model), I noticed something curious: I was still able to continue conversations — even after hitting the cap. No new chat needed. No wait time. Just one sneaky trick: a shared chat link. This wasn’t an obvious bug like XSS or SQLi. It was something more subtle — a business logic flaw . And it had serious implications for rate limiting, resource consumption, and OpenAI’s monetization strategy. Here’s what I discovered. 🛠️ Reproducing the Bypass (Step-by-Step) Use GPT-4o (paid model) until you hit the message cap. Don’t open a new chat. Instead, click “Share Chat” and copy the link. Paste the link back into ChatGPT and send it. Now click the link, hit “Continue this conversation” . You’re back in the old chat — and you can send one more message . Rinse and repeat. Each time, I was granted one extra message in what was supposed to be a ...

 While reviewing session management behaviors on OpenAI’s platform, I came across a subtle but important flaw: the “Log out of all sessions” feature on the web version didn’t actually log me out of the OpenAI mobile app. 🔍 The Discovery I was simultaneously logged into my OpenAI account on both the web (via Chrome on desktop) and the mobile app (on a Redmi 10 running Android 13). After choosing “Log out of all sessions” from the desktop, I expected to be signed out everywhere. But 30 minutes later, I opened the mobile app—and I was still logged in . Even force-closing and reopening the app didn’t trigger a login prompt. 🚨 Why This Matters This behavior reflects a failure to invalidate active sessions across devices, which falls under a known vulnerability category: Broken Authentication and Session Management > Failure to Invalidate Session > On Logout (Client and Server-Side) In practical terms, this could allow a session to remain active on a lost or shared devi...

On November 23, 2022, I discovered a privacy issue in Snapchat Web that allowed notifications to continue arriving—even after the user had logged out of their session. While testing, I logged into Snapchat Web via Chrome and then changed my password from the Snapchat mobile app. This action should have invalidated all active sessions, including the one on the web. While the session did log out as expected, I noticed that the browser continued to receive notifications for snaps and video calls—despite no longer being logged in. This indicated a flaw in how Snapchat handled session tokens or notification services. To confirm the issue, I recorded a proof-of-concept video showing real-time notifications still arriving after logout. This posed a significant privacy risk: if someone else had access to that web session before logout, they could continue to see private activity even after being "kicked out." When I reported the issue to Snapchat, the triage team acknowledged the ...

 During my recent exploration of LinkedIn’s data handling, I uncovered a concerning flaw in how the platform retains user information—even after it has supposedly been deleted. I had removed all personal details from my LinkedIn profile, including my bio and job history. However, to my surprise, an old company name I had previously listed— “That Wild Arc Studio” —still appeared in the “Add to Featured” section. While this data wasn’t publicly visible or accessible through my profile, it was still being surfaced internally by LinkedIn’s system. This ghost data raises important privacy concerns. When users delete personal or professional information from their profiles, they expect it to be permanently erased across the entire platform—not just hidden from view. But in this case, LinkedIn was still surfacing that supposedly deleted data in suggested previews, internal tags, and feature prompts. I believe this kind of data persistence violates user expectations and trust. Sensitive...

  While digging into LinkedIn’s account security behavior, I came across a serious flaw involving its integration with Google’s Single Sign-On (SSO). The vulnerability challenges the very assumption that resetting your password and logging out from all devices truly protects your account. Here’s what I found: after changing the LinkedIn password and choosing the “log out from all devices” option, I expected all active sessions to be terminated. However, if someone is still logged into the associated Gmail account, they can simply tap “Sign in with Google” on LinkedIn—and get right back in. No need for the old password. No challenge. Nothing. This behavior essentially means LinkedIn prioritizes a still-active Google session over the fact that the user explicitly requested a complete logout. In real-world situations—like when a hacker has access to your Gmail on a shared or compromised device—this flaw could allow them to regain access to your LinkedIn account immediately after you...

  While testing LinkedIn’s mobile app, I discovered a subtle but potentially impactful flaw in how its app lock feature behaves—one that could unintentionally expose sensitive user information. Typically, the app lock is supposed to trigger immediately upon reopening, requiring password or biometric re-authentication. However, I found that when a user clicks an external or personal link within LinkedIn—such as one from a profile—it opens in the Chrome browser. After browsing for a while and then returning to the LinkedIn app, the app lock is delayed by up to a full minute. During that time, the app stays fully accessible without requiring any authentication. This delay creates a short but real window of vulnerability, especially in situations where someone else gains temporary physical access to an unlocked device. For a platform that holds such a large volume of personal, professional, and business data, even a brief lapse like this could pose significant risks. Although my rep...

While conducting routine security testing, I discovered a critical vulnerability in TikTok’s authentication system that allows two-factor authentication (2FA) to be bypassed—despite it being enabled. Specifically, when logging into TikTok through a third-party app like CapCut using the “Sign in with TikTok” feature, I noticed that the 2FA prompt never appeared. Instead, the login process granted full access to the account without requiring the second verification step, completely undermining the protection 2FA is supposed to offer. This issue is especially concerning for users with high-profile or sensitive accounts who depend on 2FA to secure their information. Even though I reported the vulnerability, it was ultimately marked as a duplicate in TikTok’s system. However, that doesn’t diminish the risk posed by this inconsistency. It’s essential that 2FA be enforced not just within TikTok’s own app, but across all third-party services that use its login infrastructure. Security sh...

 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...