Erik

@_N0xi0us_ 🐐 🐐

This was a great bug bounty year submitting a bunch of bugs and achieving 17th place in leaderboard and 2nd place in country leaderboard (1st removing expats 👀)

@h1_david96 @Hacker0x01 Fin boom

Yay, I was awarded a $50,000 bounty on @Hacker0x01! hackerone.com/david96 #TogetherWeHitHarder HTTP Request smuggling

@sec_jota 🐐🔥

Recently I don't tweet much, but today has been a beautiful day that made me feel better after some other disappointments: 9th in Spain 🇪🇸 and a great impact! A year or so ago this was unthinkable for me 📈 Thanks #BugBounty

Thanks to everyone who joined us at the @Hacker0x01 Brand Ambassadors Speed Show&Tell in Madrid, and special thanks to all who presented! 💕

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one

Confirmed! Former Master of Pwn winner Manfred Paul used an integer overflow to exploit #Mozilla Firefox (renderer only). His excellent work earns him $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OBerlin

@Rhynorater @albinowax @Burp_Suite Yess 💪

@albinowax @Burp_Suite Let's do it!!

Anyone got suggestions for what podcasts you'd like to see me interviewed about research or @Burp_Suite on, or any more specific topics you'd like to hear about?

Let me doubt it, Spain has the best hackers in the world! ❤️🇪🇸

Are you a Burp Repeater power user? The latest release introduces a new feature called 'Custom actions'. With these you can quickly build your own repeater features. Here's a few samples I made for you:

First it was BleSpammer. Now it's VSC Enumerator. The @Tarlogic Innovation team has just released a new PoC that allows to discover hidden commands in Bluetooth adapters. In this GitHub link you have all the info 👇 github.com/TarlogicSecuri…

Detect the NextJS middleware bypass directly in Burp Suite with this BCheck from @eternalky_u gist.github.com/fourcube/45a78…

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with @inzo____ that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

I'm happy to announce that my paper on ELF Relocations is finally out! Check it out here: tmpout.sh/4/4.html 👀

@hackplayers @therealdreg @s0sinh4

📢¡Atención! Gracias a @therealdreg sorteamos una entrada presencial sin material para el bootcamp de Hardware Hacking del 17-20 de Abril: hardwarehacking.es 👉Lo único que tienes que hacer responder a este tweet mencionando a otro colega 📆Sorteo: 23 de Marzo

Good news! I've uploaded a new post about the most complex and beautiful vulnerability I've ever found, involving patching and uploading deprecated .jar libraries to get RCE on a big target. It's a very technical post, but I hope you like it ! :) hacefresko.com/posts/rce-on-s…

Despite being central to their security, many orgs struggle to securely implement #OAuth. Our new post walks through common issues & how to prevent them, along with a useful checklist! Read it today & ensure your org is secure: blog.doyensec.com/2025/01/30/oau… #doyensec #security #appsec

very pleased to announce the release of my new article based on my research that led to CVE-2024-46982 titled: Next.js, cache, and chains: the stale elixir zhero-web-sec.github.io/research-and-t… note: does not cover the latest findings shared in my recent posts enjoy reading;

After weeks of work, @therealdreg and I have finished FTDIBRICK. This project leverages the clock integration of some FTDI chips to brick them, even with non-administrator users. Thanks to @FTDIChip for making this possible. Check it out! github.com/therealdreg/ft…

🚨 #BlueSpy is now available on our GitHub. This proof-of-concept allows you to listen in on conversations from Bluetooth headsets without your users' knowledge. We have already alerted manufacturers whose devices have some vulnerabilities. github.com/TarlogicSecuri…