Time is our most precious resource - and Calendly has dominated the scheduling of our time at work. If bots can take advantage of this, and flood our schedules to the point where they become useless, they can grind an organization to a halt. We show how exposed Calendly’s current implementation is to such an attack.

Companies pay tons of money to protect their sites with bot firewalls. How do botmakers circumvent them? Our survey of top retailers tells us quite a bit in terms of what bot designs matter most.

The top retailers jointly comprise a huge portion of economic activity - how well do they deal with bot attacks, and what do they tell us about the state of sociotechnical security?

Promo code theft is a $300-$600m business. How can botmakers abuse them in an automated way? We use IPM’s Vulnerability Engine to prove the remarkable ease of promo code fraud.

Image uploads are a core part of many platforms - when engineers don’t consider the edge cases, they can be abused. In this post, we show how we abuse them to store GPT2 in the cloud on someone else’s dime.

If we search it, will they come? We induce a spike of traffic on a low-indexed search term on Redbubble, and show that new sellers that arrive with products we sought after are seemingly primed by exactly that sort of behavior.

Can you inflate the value of an auctioned good with bots? On Flippa, you can! We used bots and statistical analysis to prove the market exists for systematic fraud on the Flippa auction market.

Every analytics service that tracks user behavior on sites counts fake bot traffic as real - here’s the breakdown of how broken Google Analytics, Chartbeat, Woopra, Oribi, and Indicative are.

At the beginning of the rollout of vaccines, appointments are in demand - can you skip the line by scalping a spot with bots, and what are states doing about it?

Failing to validate uploaded files can hurt business. We demonstrate that by uploading GPT2 to Discord and Substack, and creating parasitic filestores.