RVFET.COM

RVFET.COMRafet Abbasli (RVFET) - Offensive Security Researcher & Software Engineer.https://rvfet.com/Killing firefox with CJK Page Titles on Waylandhttps://rvfet.com/blog/firefox-wayland-dos.md/https://rvfet.com/blog/firefox-wayland-dos.md/How a 4-byte oversight in Firefox allowed webpages to abuse CJK page titles to crash any Firefox based browser on Wayland compositors upon page viewMon, 16 Mar 2026 00:00:00 GMTZero-Click Phishing & Email DoS via Google's Identity Toolkithttps://rvfet.com/blog/google-identity-toolkit-abuse.md/https://rvfet.com/blog/google-identity-toolkit-abuse.md/How I discovered a logic flaw in Google's Identity Toolkit that allowed unauthenticated attackers to send unlimited official security notifications with content injection for high-fidelity phishing and DoS.Wed, 18 Mar 2026 00:00:00 GMTManipulating LinkedIn's Search Algorithm and Poisoning SERP Resultshttps://rvfet.com/blog/linkedin-search-poisoning.md/https://rvfet.com/blog/linkedin-search-poisoning.md/How I discovered a validation and logic flaw in LinkedIn's Search Algorithm that allowed me to manipulate search results and poison the search experience for users.Tue, 31 Mar 2026 00:00:00 GMTCVSS 9.6 Account Takeover in Azerbaijan's Most Visited Platformshttps://rvfet.com/blog/open-redirect-to-ato.md/https://rvfet.com/blog/open-redirect-to-ato.md/How I discovered a critical Open Redirect to Account Takeover (ATO) vulnerability in Azerbaijan's largest online marketplaces, tap.az and turbo.azMon, 08 Dec 2025 00:00:00 GMTAZƏRBAYCANIN ƏN ÇOX ZİYARƏT EDİLƏN PLATFORMALARINDA CVSS 9.6 HESAB ƏLƏ KEÇİRMƏhttps://rvfet.com/blog/open-redirect-to-ato_az.md/https://rvfet.com/blog/open-redirect-to-ato_az.md/Azərbaycanın ən böyük saytları olan tap.az və turbo.az-da kritik Open Redirect to Account Takeover (ATO) boşluğunu necə aşkar etdim?Mon, 08 Dec 2025 00:00:00 GMTCVSS 6.5 Persistent State Corruption in Linear.apphttps://rvfet.com/blog/linear-permanent-state-corruption.md/https://rvfet.com/blog/linear-permanent-state-corruption.md/How I discovered a logic flaw in Linear.app's optimistic UI architecture that allowed authenticated users to permanently 'brick' other accounts via ID collision, resulting in a persistent Denial of Service (DoS) with no recovery path.Wed, 10 Dec 2025 00:00:00 GMTP2/S2 Unauthenticated Redirect Loop Leading to DoS In Google Image Proxyhttps://rvfet.com/blog/google-image-proxy-abuse.md/https://rvfet.com/blog/google-image-proxy-abuse.md/How I discovered a logic flaw in Google's internal proxy service that led to unauthenticated, attribution-free DDoS amplification and infrastructure resource exhaustion.Wed, 25 Feb 2026 00:00:00 GMT