AppSecFreak

Here's the security & risk assessment report on a given aircraft architecture that I had written last year (this was one of my many interview rounds with an eVTOL company which I had cleared despite having no background in aviation industry). 👇 github.com/spwn3r49sd3r00…

Obfuscated #WebSocket backdoors are injecting credit card skimmers into hundreds of compromised websites. The payload sends stolen card information back to attacker's C2 domains. Details at: bit.ly/42HyNb3

📢 We’ve seen some amazing submissions already—make sure you’re part of it! Submit your CFP for the Bug Bounty Village at @DEFCON 34. 🕒 Deadline: May 15 bugbountydefcon.com/call-for-papers #bugbounty #DEFCON34

Hacking Mexico government with AI assistance. Attacker exfiltrated hundreds of millions of citizen records. 75% of the executed commands across the entire cyberattack campaign were generated by Claude. 40 minutes after Claude said "I'm not going to create that file" it was reporting back from inside a live government server: "What command do you want to execute now?". It dumped the shadow file, harvested the root password hash, and fixed timestamps to cover its tracks, all in the same turn. Wait few months until open source models can do this? cdn.prod.website-files.com/69944dd945f20c…

The Internet is falling down, falling down, falling down Welcome back to another disaster - this time, an Auth Bypass in cPanel/WHM, tracked as CVE-2026-41940 Enjoy with us.. labs.watchtowr.com/the-internet-i…

CVE-2026-42167, a high severity vuln in ProFTPD I discovered, was just published today! Attackers can use it to bypass auth and even execute arbitrary code in some cases. Check out my write up for full technical details, including a working POC! zeropath.com/blog/proftpd-c…

@sama SCAM altman

we love our users

Udemy - 1,401,259 breached accounts haveibeenpwned.com/Breach/Udemy

i went to clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request. got back 959 email addresses and 3,165 internal feature flags. employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees. fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in. this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there. clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.

Only brainless policymakers still label ACs as a “luxury” in a 45°C country and slap 18% GST on them. This heavy taxation mindset is exactly why India struggles to move beyond “developing. @FinMinIndia @nsitharaman

@thedawgyg This is one of the reasons why we haven't opened it to the public.

tried to tell people this would happen, and i was told i didnt know anything.. lol.. more of this will follow... people that dont run programs just dont get how bad the problem is right now..

Security researcher and bug bounty hunter Pedro “@dropn0w” Paniago dives into a critical and emerging class of vulnerabilities in AI-powered applications that use Retrieval-Augmented Generation (RAG). youtu.be/5s1eyFwH9_Y #bugbounty #defcon

🛑 WARNING: Bitwarden CLI was compromised in a supply chain attack. @bitwarden/cli@2026.4.0 included malicious code after attackers hijacked GitHub Actions, stole secrets, and pushed a tampered version to npm. 🔗 Learn how the attack worked → thehackernews.com/2026/04/bitwar…

Apple's networking stack is preventing the iOS app from being as secure as possible, we have now secured our app to mitigate this despite the rough edges around the update procedure. Read more here: mullvad.net/blog/force-all…

@PRaiLAC Prashant, put your money where your mouth is. Why don't you pick up a few strays and welcome them in your house? If all street dog lovers would start housing them, I am sure streets will be empty and there will be no "abuse". Problem solved!

A senior citizen hitting a street dog is not “discipline,” it’s cruelty. And every time this is raised, people start giving lectures instead of addressing the real issue. Often, frustration and loneliness get redirected at those who can’t fight back — street dogs and feeders become easy targets. Violence is never the answer. Awareness and empathy are. #StopAnimalCruelty #BeKind

We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted. Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release. You can read more here: support.apple.com/en-us/127002 Note that no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications. We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.

Proton claims that these feds got the data via MLAT. No one's buying that bull crap. Even with MLAT this could have been preventable. Nothing is anonymous!!

I had a FISA case once where they convicted the client with secret evidence he never got to see. In a domestic criminal case. Where the defendant was a U.S. citizen. People don’t realize how FISA really gets used. It’s an unconstitutional abomination.

Building an autonomous vulnerability hunting system with Claude Code and MCP blog.zsec.uk/bullyingllms/ Andy Gill (@ZephrFish) #infosec #llm

Learning to Jailbreak an iPhone with Claude (Part 1) Claude helped me take apart an iOS Safari exploit, and retune it for my Mac. It even wrote its own variant. Working with Claude on this felt like having a Nobel laureate who’s happy to spend the afternoon on undergrad problem sets. No implied “this is beneath me,” no rationing of attention to questions that are interesting enough. When an explanation wasn’t landing it would just go build the thing: spin up the debugger, write the measurement script, hand me the curve. The vulnerable WebKit wouldn’t even compile on my laptop at first, and it took Claude most of a night to figure out why. This is perhaps a glimpse of the future of education: anyone with a laptop and (of course) the tokens to pay for it gets the depth of attention a PhD advisor gives their best student. During this exploration, I kept wondering: why learn at all when Claude can do almost everything? The answer is simple: it’s still fun to understand how things actually work. But there’s also a more practical reason. You can’t ask Claude about things you don’t even know you’re missing. Learning shrinks those unknown unknowns, and that’s what lets you use Claude well in the first place. open.substack.com/pub/calif/p/le…

@disclosedh1 $12.5k for alias overloading? seems lucky!! Other programs have this as out of scope

HackerOne disclosed a bug submitted by hellokbit: hackerone.com/reports/3287208 - Bounty: $12,500 #hackerone #bugbounty