Systems Security Hall of Fame

Feb 12, 2026

The final project in my Systems Security course requires students to perform a non-invasive security analysis of a real-world system, usually an Android mobile application.

This Hall of Fame recognizes the projects that produced security analysis and successful vulnerability disclosures that led to meaningful improvements in real-world systems.

Successful Disclosures, 2025 edition

Students Application / System Findings
Lars Schmidt Hansen Unnamed work tracking app - Insufficient authentication relying on hardcoded credentials
- Hardcoded keys for encrypting sensitive data on device
- API access allows enumeration of private user data
Rasmus Østerskov Gammelgaard
Alexander Nørgaard Henriksen
Luccas Ruben Joshua Constantin-Sukul		 Unnamed hotel booking app - Hardcoded API keys
- Insufficient access control for backend database access
- No 2FA, weak password policy
- Deprecated algorithms in public key certificates
Flaviu Catalin Florea
Iacob Ilinca-Maria
 Unnamed fitness app - Hardcoded secrets and cleartext communication allowed in the app’s Manifest
- Weak password policy and session management issues
- Privacy concerns (unclear policy; invasive trackers
permissions and access to user’s location)
- The door opening mechanism is vulnerable to spoofing and replay attacks
Kasper Mølholm Holck Unnamed community app - Privilege escalation by any registered user
Niels Viggo Stark Madsen
Ask Holmboe Vorting		 Unnamed shopping app - Reimbursement mechanism vulnerable to spoofed items
- Coupon feature vulnerable to forgery
Jonas Ahlers
Kasper Hebsgaard
Rasmus Vestergaard Knudsen		 Unnamed shopping app - No 2FA, weak password policy
- Lack of e-mail verification during signup
- Publicly available cloud storage of user-provided data
- QR code for successful purchases is handled client-side only
Nicolai Landkildehus Lisle Unnamed transport app - Session management issues
- Account hijack under some circumstances
- Risk of account enumeration
- Lack of certificate pinning
Asger Song Høøck Poulsen
Kristian Dueholm Hill
Nikolaj Kühne Jakobsen		 Unnamed shopping app - Harcoded secrets (API keys and credentials)
- Spoofing of payment transactions
- Bypass of basket check process
- Enumeration of private user data
Mikkel Katholm
Magnus Wind
Emil Mors		 Unnamed social network - Exposure of private user data in bulk through API
- Susceptibility to MITM attacks
- Lack of rate-limiting and expiry of password reset

Successful Disclosures, 2024 edition

Students Application / System Findings
Nikoline With Brandt-Jacobsen
Mariam Al-Tamimi		 Unnamed smart lock app - Session management issues (long lifetime even after password reset)
- Enumeration of private user data
- No 2FA, weak password policy
- Unclear privacy policy
Markus V. G. Jensen
Hans-Christian Kjeldsen
Andreas Skriver Nielsen		 Unnamed restaurant app - Loyalty program vulnerable to forgery
- Weak password policy and session management issues
- Privacy concerns (location data)
Thomas Kingo Thunbo Mogensen
Niklas Bille Olesen		 Unnamed restaurant app - Loyalty program vulnerable to forgery
- Leakage of private user data
- Insufficient rate limiting for PINs
Joshua Knud Hagemann
Adalsteinn Ingi Palsson		 Unnamed transport app - Leakage of private user data
- Risk of account takeover
- Insufficient authentication in the API
- No multi-factor authentication
Rasmus Vølund Hansen
Simon Mortiz Jensen		 Unnamed healthcare app - Insecure cryptographic algorithms
- No 2FA, weak password policy
- Hardcoded keys for encrypting sensitive data on device
Lauge Dybkjær Hansen
Emil Drewsen Jørgensen
Silas Glenting Linde		 Unnamed transport app - No certificate pinning
- No 2FA, weak password policy
- Permission inflation
- Lack of e-mail verification during signup
Yifan Dong
Simon Schwarz		 Unnamed transport app - No backend validation of payment transactions
- Risk of ticket forgery

Successful Disclosures, 2023 edition

Students Application / System Findings
Herluf Baggesen
Mads Buchmann Frederiksen
Ivan Luchev		 Unnamed marketplace app - Weak authentication mechanisms
- Leakage of private user data
- Permission inflation
Tobias Kaj Nikolaj Sørensen
Thomas Axel Randrup		 Unnamed healthcare app - Lack of certificate pinning
- Permission inflation
Leakage of private user data
Carl Ulsøe Christensen
>Bjarke Vangsgaard		 Unnamed shopping app - Hardcoded API keys
Weak password policy
- Insecure TLS versions allowed
- Enumeration of private user data

Successful Disclosures, 2022 edition

Students Application / System Findings
Mikkel S. Andersen1
Victor A. M. Norrild2		 Unnamed restaurant app - Weak authentication mechanisms
- Hardcoded API keys
- Lack of certificate pinning
- Enumeration of private user data
- No access control for API
- Privacy concerns (location data and compliance)
Alexander Stæhr Johansen Unnamed restaurant app - Lack of certificate pinning
- Weak TLS configurations
- Risk of tampering with advertisement campaigns
Dikte Straadt
Lena Todnem		 Unnamed healthcare app - Session management issues (no invalidation, long lived)
- No 2FA, weak password policy
- Privacy issues with sharing data

Successful Disclosures, 2021 edition

Students Application / System Findings
Mark Nørtoft Jensen
Eske Hoy Nielsen
Yasar Plueckebaum		 Unnamed hotel booking app - No access control for backend server
- Leakage of private user data
- Weak authentication mechanisms
- Hardcoded API keys
Sebastian Tillema Rasmussen
Kasper Løhde		 Unnamed shopping app - Weak authentication mechanisms
- Lack of e-mail verification during signup
- DoS attacks
- Unclear privacy policy
Mathias Laursen
Thor Garske Andresen
Anders Bille Wiggers
 Unnamed shopping app - Weak SSL/TLS versions and cipher suites
- Hardcoded API keys
- Lack of e-mail verification during signup
Anders Faber Mygind
Christian Brok Jacobsen
 Unnamed shopping app - Point system vulnerable to forgery
- Enumeration attacks
- Unclear privacy policy
Tessa Broeders
Anders Jensen Løvig
Thomas Hoffmann
 Unnamed shopping app - Weak authentication mechanisms
- Unclear privacy policy
Mikkel Gaba
Sergei Kirillov
Marcus Sellebjerg		 Unnamed restaurant app - Weak SSL/TLS cipher suites
- Inflated permissions
- Unclear privacy policy
- No multi-factor authentication
Radu Aron Unnamed phone operator app - Downgrade to plaintext transmission
Nijithaan Selvaratnam Unnamed transport app - Unclear privacy policy
- No 2FA, weak password policy
- Device authentication is not properly implemented

Successful Disclosures, 2020 edition

Students Application / System Findings
Anders Kloborg
Christian Mørup		 Unnamed work tracking app - Weak authentication mechanisms
- Default credentials
- Risk of account takeover
Anna Hansen Unnamed parcel delivery app - Hardcoded credentials
- Issues with Bluetooth authentication