Moblig @moblig_

@JamesSince1960 @Sharo_k_h @Hacker0x01 There you go💪🏻

I earned $6,000 for an SSO bypass in @Hacker0x01 ! 💡Tip: Always test authentication endpoints with encoded whitespace. A simple %20 (trailing space) bypassed SSO completely and fell back to the legacy login flow. The Issue:👇 The application normalized input after checking for SSO eligibility. By appending an encoded space to the email parameter, the check failed and the request was routed to the standard auth flow. #bugbountytips #hackerone

@Mrchen29884691 @Hacker0x01 Thanks!

@thewhiteh4t @Hacker0x01 I always try either %20 or %00 when testing for SSO bypass, trying to bypass the matching logic. Yeah I knew there was legacy because this specific app had both SSO and legacy accounts for testing

@abdilahrf @Sharo_k_h @Hacker0x01 H1 mediation actually deemed it a high!

@Sharo_k_h @Hacker0x01 In this case you needed to know the password, but I also chained it with another misconfiguration where you could force a SSO only user to set a password via password reset, that's why it was not a critical, it was not a 0 interaction ATO

Recon - more important the EVER

🚀 ANNOUNCEMENT🚀 Grayback x @ryftsec : nueva colaboración para impulsar a la comunidad de bug hunters 🤝 ✅ Reporta un bug válido en Grayback → obtén 1 mes GRATIS al TIER Security Researcher de Ryft Security 🎥 Video explicativo: youtube.com/watch?v=-kFkl6… 🔗

THIS IS HUGE‼️ 🌐 “OnlyFans Mega Leak” allegedly containing approximately 340 million user records involving both fans and creators. According to the visible listing, the claimed dataset may include: • usernames and display names • email addresses • linked phone numbers • account creation dates • follower/subscriber metrics • likes and content statistics • creator/fan classifications • linked social profiles • partial payment card metadata (claimed last 4 digits) If authentic, this would represent one of the most operationally sensitive adult-platform-related exposures observed due to the combination of: • identity data • behavioral metadata • financial indicators • social linkage information • creator activity metrics The biggest risk here is not necessarily direct financial theft. The primary danger is: • extortion • doxxing • blackmail • targeted harassment • reputational attacks • account takeover campaigns • relationship/social exposure Adult-platform ecosystems are uniquely sensitive because attackers can combine: • usernames • linked social media • email reuse • payment references • creator/fan relationships • behavioral activity patterns to deanonymize users who believed their identities were separated from their online activity. For creators specifically, risks may include: • impersonation • stalking • swatting • revenue theft • subscriber fraud • credential compromise • targeted phishing pretending to be platform support or agencies For fans/users: • sextortion campaigns • phishing emails • credential stuffing • blackmail attempts • fake legal notices • cryptocurrency scams • exposure of private consumption habits One particularly concerning element is the reference to: • linked profiles • activity metrics • internal identifiers because these fields may allow correlation attacks across multiple platforms and previously leaked datasets. However, several important caveats exist: • extremely large breach claims are often exaggerated • underground actors frequently recycle older datasets • “scraped” data may originate from multiple unrelated leaks • partial data collections are sometimes rebranded as “internal databases” At this stage, the authenticity, source, freshness, and completeness of the alleged dataset remain unverified. Recommended immediate actions for users potentially affected: • change passwords immediately • enable MFA • avoid password reuse • monitor phishing attempts • review connected social accounts • monitor for impersonation attempts • remain alert for extortion emails or social engineering campaigns Platforms operating creator ecosystems should additionally: • monitor credential stuffing spikes • review API abuse • audit scraping protections • monitor underground marketplaces • strengthen anti-bot controls • alert high-risk creators proactively Because of the reputational and emotional sensitivity associated with adult-platform ecosystems, even limited verified exposure could have disproportionate real-world impact. 🌐 #DDW #Intelligence #CyberSecurity #DarkWeb #ThreatIntelligence #DataBreach #Infosec #OSINT #Privacy #OnlyFans

🚨 Ransom group "Qilin" publishes "SEMGREP" - United States 🇺🇸 📍 Location: San Francisco, California, USA 🏢 Industry: Cybersecurity / Application Security 🔗 Website: semgrep.dev Semgrep, Inc., founded in 2017, delivers the Semgrep AppSec Platform combining SAST, SCA, and secrets scanning. It also maintains the open-source Semgrep static analysis tool used across 30+ programming languages by developers and security teams.

@whithat444 @YShahinzadeh @kobi_hk Missed your comment tagging me, congrats on successfully exploiting it💪🏻

🔴 GitHub : un groupe de hackers affirme vendre près de 4 000 dépôts privés internes attribués à la plateforme, incluant du code source et plusieurs projets stratégiques liés à Microsoft. Selon les déclarations publiées, le groupe TeamPCP réclamerait au minimum 50 000 $ et menace de publier gratuitement les données en l’absence d’acheteur. Les fichiers revendiqués concerneraient notamment : 👉 GitHub Actions 👉 GitHub Enterprise 👉 GitHub Copilot 👉 Azure 👉 CodeQL 👉 systèmes d’authentification internes 👉 outils de sécurité et infrastructure cloud

keyboard_arrow_left Previous keyboard_arrow_right Next

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads. Affected versions: [email protected] [email protected] [email protected] Socket’s AI scanner flagged the malware within ~3 minutes of publication. Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.

hey @Bugcrowd can we please make this checkbox do something thanks

@JElfaz @sudosu01 @SRP_online github.com/pdelteil/scamm…

Anthropic has launched a public bug bounty program on HackerOne, inviting researchers to secure Claude and internal systems despite claims about its Mythos AI. thenewstack.io/anthropic-publ…

Your prod JS files change constantly. Most teams have no idea what’s in them. Ryft’s JS Monitor tracks every JS file across your subdomains and runs AI analysis on each one 🔍 Secrets, unauthenticated endpoints, access control flaws, hardcoded configs. Daily scans. Code-level findings. ⚡ ryftsec.com​​​​​​​​​​​​​​​​ #cybersecurity #bugbountytips

Devs ship .js.map files to prod and forget about them. Attackers don’t.🎯 Source maps reverse minified JS back to raw source code, meant for local dev, not public servers. Ryft finds and analyzes them across all your subdomains; find secrets, API routes, frameworks. IDE-style ryftsec.com/pricing #cybersecurity #bugbountytips