A brief account of an API replay attack vulnerability in a mobile app that slipped through because nonce validation was missing. Requests were signed but captured traffic could be replayed. The issue only surfaced under increased load when duplicate actions appeared. The fix involved enforcing strict one-time request IDs on the server side with no reuse allowed.
•1m watch time
Sort: