blog.polybdenum.com/2021/05/05/how… this is wild! just shows what is possible if you're willing to go deep and put the time in

🏆 ŞAMPİYON ADANA DEMİRSPOR!

Auth bypass in Asus router atredis.com/blog/2021/4/30…

Twitter disclosed a bug submitted by Mirhat: hackerone.com/reports/1096560 #hackerone #bugbounty

🔥 Ailemize Hoş Geldin! S U P E R M A R I O B A L O T E L L I #İkiDeli #Balotelli

I published an article about remote code execution in cdnjs that could allow tampering of 12.7% of all websites on the internet. blog.ryotak.me/post/cdnjs-rem…

Calling all bounty hunters - it’s officially go time! We’ve just released the full details of our algorithmic bias bounty challenge which is open through August 6. For more details on the challenge, head over to our blog 👇 blog.twitter.com/engineering/en…

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep…

whenever you write documentation, just remember: the only people who will read it are the hackers

I have researched Oblivious DoH (ODoH) a bit and came to a few conclusions around the lack of security concerns for SSRF in the RFC. I was asked to also make a public issue about it after reporting issues in odoh-server-go made by Cloudflare. github.com/cloudflare/odo…

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling by James Kettle portswigger.net/research/brows…

Making HTTP header injection critical via response queue poisoning, by James Kettle portswigger.net/research/makin…

I found a vulnerability that allowed me to unlock any Google Pixel phone without knowing the passcode. This may be my most impactful bug so far. Google fixed the issue in the November 5, 2022 security patch. Update your devices! bugs.xdavidhu.me/google/2022/11…

Today I'm disclosing several vulnerabilities I found in the certificate authority e-Tugra, which disclosed significant amounts of subscriber PII and may have impacted their certificate issuances. Hopefully other CAs are not like this! ian.sh/etugra

We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. To explain how it worked and how we found it, we have ꙅɿɘƚɔɘqꙅ as our mock car thief:

We've just published 'Smashing the state machine: the true potential of web race conditions' by James Kettle! Dive in to arm yourself with novel techniques & tooling, and help reshape this attack class: portswigger.net/research/smash…

X (Formerly Twitter) disclosed a bug submitted by Mirhat: hackerone.com/reports/2063636 #hackerone #bugbounty

X (Formerly Twitter) disclosed a bug submitted by Mirhat: hackerone.com/reports/2140960 #hackerone #bugbounty

Memory leaks on missiles don't matter, so long as the missile explodes before too much leaks. A 1995 memo: groups.google.com/forum/message/…