The Android root advocate

@sephr @herrcore @X @nikitabier @nhegde610 @elonmusk kinda fix this please

@herrcore @X @nikitabier @nhegde610 Seeing more cases of this lately. Their support team needs to be educated on security x.com/sephr/status/2…

Hey @X, @nikitabier what are we doing here? Locking friends who post malware IOCs?? Free @nhegde610 ✊

@RKBDI @hewarsaber I think that we saw g+...

@hewarsaber shut the fuck up already

what if twitter was designed by google

@ryanels @ZeroDarkDev He is right btw

@ZeroDarkDev Who is that? 🤔

Programmers are built differently 😁

CVE-2026-31431 Windows WSL2 ROOTED No MDE log telemetry recorded.😅 #Cybersecurity #DefenderXDR #CVE202631431

To be secure in 2026 you have to shut down your bug bounty program on HackerOne. Lovable got hacked because HackerOne's incompetent triage team closed multiple valid vulnerability reports starting February 22, 2026 as "intended behavior." Poorly trained monkeys. Zero escalation to Lovable's security team. AI bots auto-closing critical findings. The result? Public project chat history and source code were exposed for MONTHS until a researcher was forced to go public. Two companies. Same platform. Same failure. Same lies. ClickUp. Lovable. Both breached because HackerOne buried critical reports while collecting your bounty fees. HackerOne is NOT a security partner. They are a liability. They close real vulnerabilities. They protect their own metrics over your data. They let researchers get attacked while they stay silent. Stop paying HackerOne to get hacked. lovable.dev/blog/our-respo…

@ErikExplains @kmcnam1 @davepl1968 you mean him?

@kmcnam1 Yeah, the people who brought us Windows Me and Task Manager really shouldn’t play with grown-up programming languages. I mean, they even struggle with Visual Basic dot net.

Infosec community right now…

@kmcnam1 Now think of it on Android: the pain

@kmcnam1 Still setting that requires root technically

A Criminal will not hand over their guns. A Criminal will not hand over their VPN A Criminal will not hand over their money A Criminal will not hand over their password A Criminal will not hand over their information A Criminal will not hand over anything because a law says to

@krigshaw Stop reporting bugs, maybe they will learn something

A lot of people probably do not have the guts or balls to say this but I will say it. I have noticed that a lot of known security researchers are almost "in bed" with Hacker platforms and forget where they came from or just don't care anymore because they've already made it. The only one that I haven't seen like this is @Jhaddix. Every single time I see someone stand up for themselves against the atrocious injustices and ACTUAL unethical practices of these Hacker platforms against security researchers, I see these big names white-knighting for the platform, as if the platform isn't already a multi-million or multi-billion dollar corporation with multiple white knights on their payroll already. And it's honestly very disappointing and frustrating. People like @rez0__ and @InsiderPhD are prime examples, and should be using their platform to fight for the bug hunters, not against them. It's honestly not only incredibly disrespectful but also a massive letdown. Like, we see these people as not only peers but pillars in the community. For me personally it pains me to write this this since I followed the Critical Thinking podcast in the past, the podcast "by Hackers for Hackers" by the way, unless apparently you post about a Hacker platform hosting a corrupt program that is ghosting you and not paying you for your find. And that my friends is an example of what's become the downfall of the entire bug bounty ecosystem: say one thing, do another. Hacker platforms say they'll pay you X bounty for Y finding, and when you do the report and follow their own "good-faith" principles, they'll downplay your find, ghost your requests, and scam you of your bounty. And the same people you thought were there to defend you when you try to take a stand are actually waiting to be outraged by your stance instead, because they've "met" and "are friends" and "partied at DEFCON" with employees from these platforms 🤡. STOP defending hacker platforms and START defending the hackers, THE PRODUCT. Without us hackers these platforms would be useless.

“There was of course no way of knowing whether you were being watched at any given moment.” “They watched everybody all the time.” “Every sound you made was overheard.” “Every movement scrutinized.” “Always the eyes watching you and the voice enveloping you.” “Nothing was your own except the few cubic centimetres inside your skull.” “No escape.” “Private life came to an end. “BIG BROTHER IS WATCHING YOU.” — George Orwell, 1984

@weezerOSINT @rez0__ @xitsec There are 2 truths here, oems are a joke with their programs and the researcher is the one who has to be careful and everything but are we sure isn't a brand fault behaviour?

anyone with level 1 experience pentesting mobile apps would of found the key. ALL i showed that the ipa is unzipped and they left the key inside the DEFAULT config file? amplifyconfiguration.json is the default path for every AWS Amplify app, its not a secret location i revealed its literally where the framework puts it. and the company just rotated the key so the post worked, 25 days of emails didnt

Huh? He’s not wrong - publicly disclosing an unpatched vulnerability is a blackhat behaviour !

@hackinarticles They also think you are unproductive or doing an hobby....

Pic of the Day #infosec #cybersecurity #cybersecuritytips #pentesting #cybersecurityawareness

@kmcnam1 This is incorrect, sudo works only during chmod and runs the script without it. The brain is braindead

@Akut_oO @DitherDude @vxunderground It requires working, and another root exploit chained to this one to chown a binary we can write to root and set suid...

@666archhwh @DitherDude @vxunderground Does this mean we can root every unpatched Phone without additional steps Like bootloader unlocking?

CVE-2026-31431 a/k/a CopyFail > Linux LPE > Description sounds like AI slop > Exploit is legit > Impacts every Linux kernel from 2017 - Now > Proof-of-concept released > It's Wednesday? copy.fail

🇺🇸 A threat actor on an underground forum is claiming to possess and leak alleged Google-related datasets, including references to advertising, account, employee, and business information. According to the post, the alleged exposed data may include: • Employee information • Usernames and internal identifiers • Direct phone and mobile numbers • Office address details • Business profile information • Account IDs and email addresses • Advertising-related customer metadata • Historical commercial metrics and campaign information The actor also references: • Google Ads-related datasets • Customer IDs and prospect qualification metadata • Internal sales-status notes • Revenue and campaign-related information At this time, the authenticity, origin, and scope of the claims remain UNVERIFIED. It is important to note that underground actors frequently: • Repackage previously leaked datasets • Mislabel scraped or public data • Exaggerate access claims involving major technology companies • Combine unrelated data sources to increase perceived value However, if any portion of the claims were authentic, potential risks could include: • Phishing targeting employees or advertisers • Business impersonation attempts • Credential abuse • Advertising fraud • Reconnaissance against enterprise customers Large technology and advertising ecosystems are especially attractive targets because they contain: • Extensive customer relationships • Business intelligence data • Internal operational metadata • High-value account ecosystems Due to the high-profile nature of the claims, independent validation and technical verification are critical before drawing conclusions. #Google #CyberSecurity #ThreatIntelligence #DataLeak #DailyDarkWeb #DarkWeb #InfoSec

Just had a MiTM #scam @binance call. "Someone is trying to reset your password. Press 1 to continue" I already know it's a scam, I'm not a Binance customer... but I press 1. After long wait, genuine Binance support answers. He claims I've called him. There's 3 people on the call. Me, Binance & the attacker quietly listening to every word. If I'd given any personal information, it'd be game over. Be careful folks. I can see some falling for this.