I published a technical write-up on an old OLX account takeover issue.

The core bug was an OTP correctness leak inside the rate-limit state.

After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent.

Invalid codes during lockout still produced the invalid-code signal.

The valid code during lockout removed that signal while keeping the lockout message.

That made the lockout state act as an oracle for whether the OTP was correct.

The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change.

The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information.

Disclosure/write-up for CVE-2021-21735 affecting the ZTE ZXHN H168N V3.5.

The issue is cataloged as information disclosure, but the useful part is the authorization failure: wizard handlers under the setup surface exposed PPPoE and WLAN material that should have required authenticated configuration access. Firmware analysis points to a brittle whitelist decision around the QuickSetup flow, including routes such as wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua.

The write-up keeps secrets redacted and focuses on the route behavior, firmware logic, deployment-dependent admin compromise path, disclosure timeline, and the ZTE Low vs NVD Medium severity split.

This is the longer technical writeup behind CVE-2021-35036. The short CVE summary makes it sound like simple cleartext storage, but the useful part is the access path.

A low-privileged Zyxel router session could query DAL handlers like login_privilege and tr69 and receive password-bearing backend objects in the response. That included higher-privilege local account data, FTPS credentials, and TR-069 management secrets. Zyxel’s advisory later expanded the scope from the original VMG3625-T50B report into broader CPE, ONT, LTE, and 5G product lines.

I also included the password-generation side: QEMU runtime, LD_PRELOAD serial hook, getpassword analysis, and the Method2 / Method3 supervisor password logic.

CVE-2026-34474 covers a pre-auth credential disclosure in ZTE ZXHN H298A 1.1 and H108N 2.6 router web interfaces.

The short version: an ETHCheat branch returns credential-bearing HTML before authentication. The captured fields include the admin password, WLAN PSK, and ESSID, and a companion wizard endpoint exposes serial data. The writeup keeps the PoC output redacted and focuses on the response behavior, affected scope, and disclosure trail.