The web page for shipment information contained personal data - and it was possible to iterate through the data.

Here's a write-up of the challenges of the Norwegian Police Security Service's capture the flag advent calendar for 2020.

Here's a write-up showing how to solve the challenges of the Norwegian Police Security Service's Easter CTF.

Here's a write-up showing how to solve the challenges of the Norwegian Police Security Service's CTF advent calendar.

Here's a walk-through of the Norwegian Police Security Service's latest job ad riddle. Were you able to crack the code?

Personal info like Social Security numbers and personal documents were available. While I mostly hail the City of Bergen's handling of this issue, here are also the details they didn't tell you.

A web shop left their backup of all shopping data and their site in a publicly available directory - indexed by Google.

It was possible to control Internet connected Mill heaters worldwide.

The Norwegian Police Security Service had a job posting with a "digital riddle" to find the right candidates for a job. Here's (hopefully) the solution.

A Christmas story on how to cheat in advent calendars and of course some personal information leaks.

Personal - and in some cases sensitive - information about 63,000 students could be accessed. Here are the details that the newspaper article did not give.

Looking for an easy way to find out when the garbage was being picked up ended up in discovering a data leak affecting half a million people.

A newspaper published details about a newly discovered serious security vulnerability. Here are the details that the newspaper article did not give.

Thomas Cook Airlines was leaking passenger information about future og past flights. Information about tens of thousands - or maybe hundreds of thousands - of travels could be systematically downloaded.

The tool for the owner to track its pet became a tool for tracking all the pet owners themselves. The hunters became the hunted.

It was possible to do systematic account takeover for one of Norway's biggest parking companies.

Here's a simple bookmarklet to linkify robots.txt.

Information about as many as maybe 1.5 million past, current and future hotel stays were openly accessible on the Internet.

Information about thousands - theoretically maybe hundreds of thousands - of customers could be stolen.

Gator Watch had a complete lack of security which made it possible to track kids all over the world and listen to private voice messages. This is supposedly fixed, at least in Norway. But is it really?

I created a "hackable" web app for a presentation I gave about web app security. Now you can try it out yourself.

This one my of my regrets. This is one of those cases I should have told the world about. But now it's such a long time ago that naming anyone won't do any good.

Let me spell out why you should care that I recently so easily found 13 security vulnerabilities.

No one can see what you are shopping online, right?

Sometimes it's really difficult and time consuming to find a way to report a security vulnerability. But there is a very simple solution for that.

One of the biggest insurance companies in Norway leaked personal data and used 4.5 months to fix the issue.

Tens of thousands - possibly several hundred thousands - of kids can be tracked via their Gator and Caref watches.

A digital memory book and social platform for people with special needs was found to be open for anyone to read, change and delete its users' content.

Ever been logged in at ikea.com? Then there's a chance you don't surf very anonymously.

A company offering an online project and customer relationship management system had a very easy-to-spot SQL injection vulnerability for 10 years or more.

Is your gym telling on you? It sure was telling on me and my fellow members. Everything from contact info to pictures to bank account numbers to the time people enter the gym was leaking for a long, long time.

A campaign where you can upload your pictures is making a small version of them publicly available at a "impossible to guess" URL. It was possible to systematically retrieve all the images.

I'm sure you expect your bank accounts to be safe from prying eyes. For a while other customers knowing my bank account number could check my account balance.

In 2017 you don't see that many sites running PHP, but recently I stumbled on this site of classical PHP vulnerabilities.

One of the "digital mailbox" services used by more than 400 central and local Norwegian government agencies to send mail, was leaking IP addresses and full names.

That a service is heavily gated doesn't mean that your information is safe. I'm taking it down a notch this week; this is not a severe case, but an OK reminder for us developers on how we protect our resources and to never trust the client.

Using only the plate number of a Norwegian car you can find the name, address, Social Security number, etc. of the owners.

I'm preparing a series of posts where I'm disclosing several security vulnerabilities that I discovered the spring and summer of 2017.