](https://forvo.com/search/aranha/)" />

Systems Security Hall of Fame | Diego F. Aranha

Search

Systems Security Hall of Fame

Feb 12, 2026

The final project in my Systems Security course requires students to perform a non-invasive security analysis of a real-world system, usually an Android mobile application.

This Hall of Fame recognizes the projects that produced security analysis and successful vulnerability disclosures that led to meaningful improvements in real-world systems.

Successful Disclosures, 2025 edition

Students<br>Application / System<br>Findings

Lars Schmidt Hansen<br>Unnamed work tracking app<br>- Insufficient authentication relying on hardcoded credentials<br>- Hardcoded keys for encrypting sensitive data on device<br>- API access allows enumeration of private user data

Rasmus Østerskov Gammelgaard<br>Alexander Nørgaard Henriksen<br>Luccas Ruben Joshua Constantin-Sukul<br>Unnamed hotel booking app<br>- Hardcoded API keys<br>- Insufficient access control for backend database access<br>- No 2FA, weak password policy<br>- Deprecated algorithms in public key certificates

Flaviu Catalin Florea<br>Iacob Ilinca-Maria

Unnamed fitness app<br>- Hardcoded secrets and cleartext communication allowed in the app&rsquo;s Manifest<br>- Weak password policy and session management issues<br>- Privacy concerns (unclear policy; invasive trackers<br>permissions and access to user&rsquo;s location)<br>- The door opening mechanism is vulnerable to spoofing and replay attacks

Kasper Mølholm Holck<br>Unnamed community app<br>- Privilege escalation by any registered user

Niels Viggo Stark Madsen<br>Ask Holmboe Vorting<br>Unnamed shopping app<br>- Reimbursement mechanism vulnerable to spoofed items<br>- Coupon feature vulnerable to forgery

Jonas Ahlers<br>Kasper Hebsgaard<br>Rasmus Vestergaard Knudsen<br>Unnamed shopping app<br>- No 2FA, weak password policy<br>- Lack of e-mail verification during signup<br>- Publicly available cloud storage of user-provided data<br>- QR code for successful purchases is handled client-side only

Nicolai Landkildehus Lisle<br>Unnamed transport app<br>- Session management issues<br>- Account hijack under some circumstances<br>- Risk of account enumeration<br>- Lack of certificate pinning

Asger Song Høøck Poulsen<br>Kristian Dueholm Hill<br>Nikolaj Kühne Jakobsen<br>Unnamed shopping app<br>- Harcoded secrets (API keys and credentials)<br>- Spoofing of payment transactions<br>- Bypass of basket check process<br>- Enumeration of private user data

Mikkel Katholm<br>Magnus Wind<br>Emil Mors<br>Unnamed social network<br>- Exposure of private user data in bulk through API<br>- Susceptibility to MITM attacks<br>- Lack of rate-limiting and expiry of password reset

Successful Disclosures, 2024 edition

Students<br>Application / System<br>Findings

Nikoline With Brandt-Jacobsen<br>Mariam Al-Tamimi<br>Unnamed smart lock app<br>- Session management issues (long lifetime even after password reset)<br>- Enumeration of private user data<br>- No 2FA, weak password policy<br>- Unclear privacy policy

Markus V. G. Jensen<br>Hans-Christian Kjeldsen<br>Andreas Skriver Nielsen<br>Unnamed restaurant app<br>- Loyalty program vulnerable to forgery<br>- Weak password policy and session management issues<br>- Privacy concerns (location data)

Thomas Kingo Thunbo Mogensen<br>Niklas Bille Olesen<br>Unnamed restaurant app<br>- Loyalty program vulnerable to forgery<br>- Leakage of private user data<br>- Insufficient rate limiting for PINs

Joshua Knud Hagemann<br>Adalsteinn Ingi Palsson<br>Unnamed transport app<br>- Leakage of private user data<br>- Risk of account takeover<br>- Insufficient authentication in the API<br>- No multi-factor authentication

Rasmus Vølund Hansen<br>Simon Mortiz Jensen<br>Unnamed healthcare app<br>- Insecure cryptographic algorithms<br>- No 2FA, weak password policy<br>- Hardcoded keys for encrypting sensitive data on device

Lauge Dybkjær Hansen<br>Emil Drewsen Jørgensen<br>Silas Glenting Linde<br>Unnamed transport app<br>- No certificate pinning<br>- No 2FA, weak password policy<br>- Permission inflation<br>- Lack of e-mail verification during signup

Yifan Dong<br>Simon Schwarz<br>Unnamed transport app<br>- No backend validation of payment transactions<br>- Risk of ticket forgery

Successful Disclosures, 2023 edition

Students<br>Application / System<br>Findings

Herluf Baggesen<br>Mads Buchmann Frederiksen<br>Ivan Luchev<br>Unnamed marketplace app<br>- Weak authentication mechanisms<br>- Leakage of private user data<br>- Permission inflation

Tobias Kaj Nikolaj Sørensen<br>Thomas Axel Randrup<br>Unnamed healthcare app<br>- Lack of certificate pinning<br>- Permission inflation<br>Leakage of private user data

Carl Ulsøe Christensen<br>>Bjarke Vangsgaard<br>Unnamed shopping app<br>- Hardcoded API keys<br>Weak password policy<br>- Insecure TLS versions allowed<br>- Enumeration of private user data

Successful Disclosures, 2022 edition

Students<br>Application / System<br>Findings

Mikkel S. Andersen1<br>Victor A. M. Norrild2<br>Unnamed restaurant app<br>- Weak authentication mechanisms<br>- Hardcoded API keys<br>- Lack of certificate pinning<br>- Enumeration of private user data<br>- No access control for API<br>- Privacy concerns (location data and compliance)

Alexander Stæhr Johansen<br>Unnamed restaurant app<br>- Lack of...