BrunoZero

@TheGrandPew Happy bdayy :)

age++

@codewithimanshu @0xacb @H4R3L @sudhanshur705 it's fixed now

@0xacb @H4R3L @BrunoModificato @sudhanshur705 Wow, Andre, that's some serious security flaw, no? Very interesting indeed.

Crazy XSS chain. Very impressive find by @H4R3L, @BrunoModificato and @sudhanshur705 Read at👇  nokline.github.io/bugbounty/2024…

Our research team achieved client RCE on Minecraft Bedrock Edition via a heap overflow to bypass ASLR and sidestep CFG. Writeup to come.

New research, I did found many wallets /web 3 products not taking in consideration the difference between desktop env and mobile env leading to high severity issues.

NEW: OAuth misconfigurations show how common dev settings can lead to account takeovers. Our second deep dive breaks down real cases where overlooking differences between desktop and mobile environments left SDKs, exchanges, and wallets open to exploits. osec.io/blog/2025-10-1…

@smashjarchive @osec_io you can find it here ottersec.notion.site/Sampled-Public…

@osec_io The lavamoat audit link is an expired notion link 😅?

NEW: The recent supply-chain attack on NPM exposed a fundamental vulnerability in the open-source ecosystem and the risks that lurk within our dependencies. We break down how the malware worked and practical defenses every dev should know ↓ osec.io/blog/2025-09-1…

As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today. MetaMask has multiple layers of defense to protect our products and users: - Basic Security: We lock our versions, don't push directly to main, have manual and automated checks during the entire development lifecycle, and have robust release processes and monitored rollouts. - LavaMoat: Prevents malicious code from harming you, even if malicious code was to somehow sneak in. LavaMoat covers both the development lifecycle and runtime scenarios. - Blockaid: Flags malicious addresses nearly instantaneously, protecting you from compromised dapps. Security is paramount for MetaMask. We work tirelessly to protect you from attacks and threats, including supply chain attacks. 🧡

NEW: Proof of Reserves you can verify yourself. We teamed up with @Backpack to build PoRv2, a zero-knowledge system for fast, transparent solvency checks. More on how we designed it ↓ osec.io/blog/2025-08-2…

Yay, got a new bounty #bugbountytips

@S1r1u5_ Wtf. Where are you going btw?

peak third-worlder hustle just to get a basic visitor visa.

Happy to talk there :)

@xenobyte_ I think AI offers no technical improvements, it can only help with correcting English grammar

@BrunoModificato Some improved too tho, It seems to me that people that made poor reports now are making worse ones and people that made good ones are writing even better ones

I hope the AI hype ends soon: :'(. The quality of infosec reports and write-ups has been declining so much because of AI slop

@28YearsLaterMov amazing

What will humanity become? Danny Boyle and Alex Garland reunite for #28YearsLater - only in theatres 6.20.25.

@zhero___ Nice article, I did use x-now-route-matches to exploit a cache poison to DOS some months ago, that header can lead to interesting results on the next JS caching

publication of my latest modest paper; Eclipse on Next.js: Conditioned exploitation of an intended race-condition - (CVE-2025-32421) enabling a partial bypass of my previous vulnerability, CVE-2024-46982 by chaining a race-condition to a cache-poisoning zhero-web-sec.github.io/research-and-t…

Just completed this yesterday, it was fun with some cool tricks! It's been a while since I did a challenge, but I loved it. Thanks @joaxcar for the challenge

@S1r1u5_ They just won’t accept the bug and will tell is next.js fault

and earn good $$ on crypto web apps. its all Next.js

i am telling you, if you do it right, you can find one vulnerability on Next.js every week.

New research 🫡

NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3. osec.io/blog/2025-07-0…