DALEK.
links.
projects.
Some of my side projects :3
Resonite appreciation Channel
Services for fellow VR Creators
security writeups
I don't really do these often, but wanted a place to document if I get any :3
GET-OAUTH - A Case Study in OAuth Token Exposure & Tenant Scoping The following vulnerability was disclosed responsibly with the GETLATE organization.
GETLATE acknowledged and promptly patched the issue as well as provided public vulnerability disclosure approval.This write-up is a technical case study and learning resource. Summary Under certain tenant configurations, authenticated users received web request responses containing data about all profiles within a tenant, even those outside their access scope.These responses included OAuthaccess_token and refresh_token values in plaintext for connected social media accounts, allowing unauthorized third-party actions outside the platform’s intended permission model.Platform: GetLate.Dev Reproduction Steps 1- Login as Tenant Admin.
2- Create a new profile – connect a social account and do NOT scope any users to this profile.
(tested with Twitter/X).
3- Log off from the tenant admin logout.
4- Login as an End-user who is not scoped to the new profile.
5- In the main dashboard: Open dev tools – Navigate to the Network tab and refresh the dashboard.
6- Locate responses – Find JSON files named accounts.
7- Inspect response– All tenant profiles appear, including those outside the user’s scope.
8- Check metadata section – OAuth access_token and refresh_token are exposed in plaintext.
Impact OAuth tokens exposed -> direct third-party API access.Users could post, delete, or modify content outside permissions even if access was revoked from the GETLATE platform.Tokens remained valid until rotated or revoked.
Timeline & Context Feb 3, 2026: Vulnerability discovered; safe-haven request made.Feb 4, 2026: I reported a related visual bug within the tenant where profiles a user was not scoped for were listed (but not accessible) in the new Inbox feature.Feb 4, 2026: Visual bug patched; non-scoped profile OAUTH vulnerability was partially mitigated through this as well.Feb 5, 2026: Safe-haven granted; remaining vulnerability fully patched.Residual risk existed for scoped profiles where tokens could persist if access was revoked late. Remediation Remove/protect OAuth tokens in frontend responses.Rotate exposed tokens.Enforce profile-level authorization server-side.Only return resources scoped to each user.Securely store OAuth credentials; never expose to clients. Closing Thoughts Small authorization gaps + exposed credentials can be critical.
Cooperative disclosure and timely remediation are key to secure multi-tenant design.Thank you to Miki and the GETLATE team for safehaven for disclosure, prompt communication, prompt patching, and over all addressing this in a professional responsible manner!
biography.
name. Dalek.
age. 31.
birthday / nameday August 24th.
astrological sign / guarding deity. Virgo.
gender. Male.
pronouns. he/him.
sexuality. Bisexual.
height. 5' 7".
job occupation. Works in IT.
home. Resonite.
marital status. Single.
mbti. INTP. likes.
- Learning and trying new things
- People with a drive and passion
- IT and all things Technical <3
- Coffee
- Cinematography
- Content creation
- Acting
- VR
- Self-hosting
- Pushing people out of their comfort zones and trying new things. dislikes.
- Loud screaming/chaos
(I have old man ears sorry! 🙏)
- Overly sexual context in public spaces.
- Learned helplessness.
- Lack of passion and desire.
personality. An old soul who finds balance between technical logic and creative wonder.I’m not a fan of loud crowds or overly sexualized public spaces; I believe in maintaining a level of courtesy and keeping things focused on the shared experience. If we’re in a small group talking about tech, cinematography, or something we've created, I’m in my element. I’m here to create things and share them with the right people. :3
Background.
I’ve spent most of my life moving. Growing up between Guatemala and the US was just the beginning of a nomad existence that followed me through five years in the military and another five in the IT sector. For over a decade, 'home' was just a place I stayed for a few years before the next move.I’m finally at a point where I’m ready to stop moving and settle in. While my professional background is built on technical logic and server infrastructure, I’ve found that those tools are the perfect foundation for something more virtual production.Resonite is where these two worlds finally align for me. It allows me to use my 'technical brain' to be more creative and where I can bypass the noise of the physical world. I’m an old soul who values small groups and a quiet coffee over loud crowds.
Character Lore.
Dalek's character is a wolf boy who was raised by cats, therefore there may be some meows spoken 😅That's it, you will likely see me wearing several outfits in several skit videos 🤭
Tech setup.
Main PC. - Pegboard Build
CPU: AMD Ryzen 9 9950X3D
RAM: 32GB G.SKILL Flare X5
MOBO:GIGABYTE X870E AORUS Elite WIFI7
GPU: EVGA RTX 3090 FTW3
STORAGE:
- Windows: WD_BLACK SN850X 1TB
- Fedora Linux: 1TB TEAMGROUP T-FORCE VULCAN Z Streaming PC. - Rack mounted RSV-R4000
CPU:AMD Ryzen 7 2700
RAM: 32 GB DDR4 Generic
MOBO:ASUS Prime B550M-A
GPU:EVGA RTX 3060 Ti XC
STORAGE
- Windows: 1TB PNY CS900
- Recordings:Kingston 120GB A400
- Mini Storage Cluster: 4x Seagate BarraCuda 2TB in RAID 5 VR. - Wireless
Headset: Meta Quest Pro
Controllers:Valve Index Controllers
Trackers: 4x Vive 3.0
Base Stations: 3x Valve Index Base Stations Audio Solutions
Microphone: Hollyland Lark M2 Wireless Microphone Type C Version
Headphones: GK KUNTEN IEMs
IEM Wireless Transmitter: Melonare PM-2
credits & usage.
Content Usage Consent.
Feel free to repost any of my content if you want, all I ask is that you place credit or tag me somehow and dont make an exact copy of my page, using a video here and there is totally cool🙏
Model.
Base: Deltaflair by VERMILION .Studio
Custom editing by: Tri-ShellVR
Images.
Background icons: Addiction & Drugs icon pack
Logo Coffee Sign: Edited, from: Barista icon pack
Website.
Original design by cassiaslair. Edited by Dalek.
Site hosted via carrd, click here to try it yourself! (Referral)