Jonathan Leitschuh - [email protected]

This is my #ZeroDay #PublicDisclosure of a security vulnerability impacting 4+ Million of @zoom_us's users who have the Zoom Client installed on Mac. Zoom had 90-days + two weeks to resolve this #vulnerability and failed to do so. @jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5?source=friends_link&sk=efee51610d7aac4a2c58d89628b2980b" target="_blank" rel="nofollow noopener">medium.com/@jonathan.leit…

I found a travel app leaking exact user locations and birthdays via its internal API. We could pinpoint where people were living and sleeping. Full write-up 👇 medium.com/bugbountywrite…

BREAKING: MongoDB Introduces Surprise Holiday Feature FOR IMMEDIATE RELEASE PALO ALTO, CA — MongoDB is thrilled to announce MongoBleed™, an innovative new feature that proactively shares your database contents with the broader internet community. "For years, customers asked us: 'How can we make our sensitive data more accessible?'" said a spokesperson we definitely didn't make up. "MongoBleed answers that call. No authentication required. No consent needed. Just pure, frictionless data liberation." Key Features: - Zero-Click Sharing: Your passwords share themselves! - Decade of Trust: We've been quietly beta-testing this since 2015 - Holiday Launch: Because nothing says "Merry Christmas" like your production secrets on GitHub - Elastic Integration: Built by someone who definitely understood the assignment Customer Testimonial: "I was enjoying Christmas dinner when I got paged. My database was sharing our user credentials with the world. It really brought the family together—around my laptop, watching me cry." — Definitely a real IT admin What's Next? We're excited to announce our 2026 roadmap includes: - Automatic password broadcasting to Shodan - AI-powered secret harvesting (we're pivoting to AI!) - A Slack integration that just posts your .env files directly to #general About MongoDB: MongoDB is the database that believes data wants to be free. Very, very free. doublepulsar.com/merry-christma…

@rootxharsh @HacktronAI Did these issues get reported back to the OG JDBC driver authors? Did CVEs get assigned?

With only 48 hours remaining in a bug bounty event, I used @HacktronAI CLI to perform large-scale analysis of several JDBC drivers. Netting $85,000 in total rewards. This write-up shows how AI-assisted vulnerability research is speeding up the work of researchers and leading to high-impact findings. Read here - hacktron.ai/blog/jdbc-audi…

Anyone have a security contact at @SandboxVR? A friend found a rather large data leak. They've reported it and the company has been, as of yesterday, unresponsive.

I've included a link to a detailed disclosure of this vulnerability here 👉 github.com/JLLeitschuh/se…

As a result, downstream consumers are just going to continue to get bad CVE data for MSFT vulnerabilities, as demonstrated in this case.

.@msftsecresponse published probably one of the most opaque CVE descriptions I've seen: "Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent network." Like... What is that even supposed to mean?! 🧵

I may have found an SSRF vulnerability in @TheASF project 'Cloudstack'. Anyone interested in helping me confirm, DM me

⚠️ Google’s OSV just added 500+ new advisories, not from new vulns, but from fixing a long-standing policy that made disputed CVEs invisible. Learn more → socket.dev/blog/google-os…

🤔

Today we’re publishing research on 80 confirmed fraudulent candidates who applied for Socket engineering roles in the past 2 months. They’re part of a coordinated campaign, including suspected North Korean operators, aiming to infiltrate hiring pipelines. socket.dev/blog/fraudulen…

🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions. Our analysis of the malware: socket.dev/blog/tinycolor… #NodeJS #JavaScript

@PeteCapeCod @better_auth @SocketSecurity Hey Peter! Thanks for the ping. We (Socket) are looking into this 👀

Has anyone come across this situation today? Like I'm going to switch my SSO auth over to @better_auth and vet-mcp flags it as malicious? 🤷🏻‍♂️ Also @SocketSecurity can't load the scores right now?!? 👀 What the hell is going on?!

🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week. Details: socket.dev/blog/npm-autho…