This is my first time attending AWC and I'm so grateful to be able to surround myself with talented and amazing hackers!

SQLi via... binary protocol smuggling?! This upcoming #defcon32 talk from pspaul & Sonar Research sounds awesome! defcon.org/html/defcon-32…

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

new blogpost time!! this one's a fun writeup on a vulnerability chain i found across multiple google services that earned me a $4133.70 bounty lots of fun css as usual! i had to recreate a bunch of drive/docs/gmail/youtube UIs c: have fun! lyra.horse/blog/2024/09/u…

Love a good client-side exploit chain! This crazy cross-product chain targeting Google by Rebane is a great example of the type of exploit that gets easier the longer you spend targeting a single company lyra.horse/blog/2024/09/u…

New writeup from ꙅɿɘƚɔɘqꙅ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate. Full disclosure: samcurry.net/hacking-kia

Gotta take a quick pic before getting dropped from Top 3 at AWC 2024😅 #awc2024 #bugbounty HackerOne

🎉 Proud to share my 2024 journey on HackerOne! 34 vulnerabilities reported, including 10 critical findings. Specializing in XSS and HTTP Request Smuggling, making the web safer one hop at a time! 🐰✨ #BugBounty #InfoSec #HackerOne hackerone.com/stories-of-202…

🇻🇳WE DID IT! See you guys at the event🔥

Introducing InternetCTF! 🤯 Earn up to $10,000 for finding RCE vulnerabilities in open-source software AND creating Tsunami plugin patches. Make the internet safer and get rewarded! 🤑 For details on the program, see our latest blog post: bughunters.google.com/blog/675213644…

The detailed version of our #WorstFit attack is available now! 🔥 Check it out! 👉 blog.orange.tw/posts/2025-01-… cc: splitline 👁️🐈‍⬛

very pleased to announce the release of my new article based on my research that led to CVE-2024-46982 titled: Next.js, cache, and chains: the stale elixir zhero-web-sec.github.io/research-and-t… note: does not cover the latest findings shared in my recent posts enjoy reading;

New blog post with shubs: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

The Elite 8 round of #AmbassadorWorldCup has been full of teamwork, collaboration, ingenuity, and fun! 🤩 Gathering in Prague today, these teams worked alongside the AS Watson and OKX security teams, using their expertise and creativity to help protect customers and users.

Thank you all for this amazing experience!

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓↓↓

In Singapore, OKX and HackerOne brought an elite team of security researchers together for a live hacking event focused on one thing: building trust through real-time collaboration. This was security in action—fast-paced, transparent, and deeply human. Researchers tested live