Thierry

Wayback machine can help you see internal documents that are restricted. #Bug

Most people don’t realize how little real competition there is in bug hunting. A huge part of the younger generation is focused on gaming, while others spend most of their time scrolling Instagram, TikTok and similar platforms. Even within tech, a lot of people are tied up in web development, chasing projects, clients or frontend trends. And now with AI in the picture, many beginners get discouraged before they even start, thinking everything is already saturated or automated. But the reality is very different. The field is still wide open. If you stay consistent, actually learn the fundamentals and put in real effort, you’re already ahead of most people. The barrier to entry is much lower than it looks, and very few people are willing to go deep enough to stand out. That’s where the opportunity is. Take advantage of it. Build your skills. Stay focused. This space can genuinely change your life if you take it seriously.

@IdontCa31377684 Its bearer token that was accidentaly archieved. The bearer token had expiry date of 2035. You could easily access the user information's and exchanged messages during convasation with other people.

@datafuel0 if the token not aktif this is not valid right?

Information Disclosure Public Archives (Wayback) on app.reducted.com through /l/share/{conversation-uuid}/{bearer-token} via Path Wayback payload to check archived URL: Replace the place holder with your target in the payload. web.archive.org/cdx/search?url…

@DuckyWantDucky @0x4k41 That is only the begining. A lot more to come. Told you.

@0x4k41 thank you 🫶❤️

Day 137/365 of the Until get 10.0 Critical report 📤 Reports Submitted:- 0 🟠 triaged - 2 🟦 new status - 🟤 Duplicate - 0 🟣 New -0 💰 Paid - $200 💻 Worked- 9 HOUR #BugBounty After 13 duplicate finaly i get my first bounty in hackerone 😅

@K10594Stanley That’s only possible with an adapter that supports monitor mode + packet injection. Linux alone won’t let you capture beacon frames or send deauth packets.

POV: The University WiFi is too low to submit your final assignment... Me on Linux: launching a deauth payload to kick the entire floor offline and claim the bandwidth💀😂😂💔

@4osp3l Contribution is acknowledged with a sign of reward. Saying acknowledging with mind, is crazy.

site:com "We're sorry but Directus doesn't" -github -gitlab -google ( PII leak via /users )

@ks7X01 They asked me escalation with the data I have. Like why? They are saying email, phone number, names, configurations of devices of their over 2000+ employees not worthy reportable.

@datafuel0 based on this this does not seem to be a company that cares about it's users privacy , i mean when you first use the app i guess they declare that your personal infos will be secured , in this case they are not and these infos can be sold in the dark web easily by an attacker

Found endpoint, returned PII containing (full names, emails, phone numbers, system configurations, thier phone type, and location). Submitted it, and they said "it is not that sensitive, show exploitation with those data" Fine. I asked myself what do i do? Unable to escalate.

Scan js files. Or do manual checking. The URL I got while reading a js file was just bootstrap URL by design. However, when i tried it it returned thousands or employees information. #bugbounty #informationDisclosure

I have been following your journey. and honestly I can relate to this. This how people become successfull. Once the universe open the door for you, you will be overwhelmed by the positive return of your invested effort. Keep it up.

@xentzu Hopefully.

I submitted a report INTENTIONALY out of the Scope. The CVSS score is 9.8+ and the triage instead of rejecting it or closing it, they changed my report title and report details to something even massive which is also still out of scope😎😎 lets see how it goes.

🔥 XSS Tip: Unicode Normalization Don't give up if <, >, " or ' are filtered ! Many apps normalize Unicode after the WAF/security layer. Some bypass variants (URL-encoded): 🔹 < ➔ %EF%BC%9C 🔹 > ➔ %EF%BC%9E 🔹 " ➔ %EF%BC%A2 🔹 ' ➔ %EF%BC%87 🔹 ` ➔ %EF%BD%80 For example, inject %EF%BC%9Cscript%EF%BC%9E and check if it reflects as