Unauthenticated DB Access and Account Takeover via a Leaked Staging Domain

A hostname referenced inside a production JavaScript bundle pointed at a staging environment where every /api/admin/* route was reachable without authentication, including one that returned a password reset link for any user ID.

May 9, 2026 · 5 min · Youssef Elsayyad

Forcefully Joining Private Servers via Shared Invite ID Namespace

How I discovered that a staging environment shared its invite ID namespace with production, allowing an attacker to generate invite codes on staging and use them to forcefully join random private servers on production — including invite-only ones.

April 17, 2026 · 5 min · Youssef Elsayyad