Mochammad Nosa Shandy

So, on August I've found clickjacking on google worth 7,500$ , This is the write up : apapedulimu.click/clickjacking-o… Thanks to all of the community who teach me a lot for finding a bug. Specially for indonesia bug hunter community. 🙏

enjoy the writeup folks

Sci-Hub is an evil website that pirated 85M+ research papers and made them freely available And now they've added AI to their database to make Sci-Bot. It answers your questions using latest, full-text articles. But DO NOT use it. We should all try to make billion-dollar academic publishers richer. I'm putting the link below so you know how to avoid it.

I achieved a cross-tenant #RCE in #GoogleCloud simply by abusing predictable bucket names. 🪣 In my latest research for @FocalSecurity, I look into "Bucket Squatting" - a cross-tenant attack that landed me 3 critical vulnerabilities in GCP. Here is how it works:

My 2nd RCE in Google Cloud production (Borg) in less than 3 months... I'm at $600k in total rewards from Google VRP in the past few months. Still can't believe it.

@brutecat @sirdarckcat Superb!

Finally had the pleasure of meeting @sirdarckcat IRL at Google Singapore 🇸🇬 Always learn something new talking to him!

I pointed claude opus at chrome and told it to build a full v8 exploit for discord. A week of back-and-forth pulling it out of dead ends. 2.3B tokens. $2,283 in API costs, and it popped a shell. hacktron.ai/blog/i-let-cla…

Is your checkout logic costing you? 💸 In our Exploits Explained blog, SRT member Tubagus Fahrudiansyah exposes a critical business logic flaw that turned a standard checkout into a free-for-all. By exploiting a synchronization gap between the payment gateway and the shopping cart, this researcher successfully finalized high-value orders for the price of a single, cheap item. Read the full breakdown & remediation steps: synack.com/exploits-expla…

Are you testing for race conditions? 🏁 If not, it can sometimes be as easy as: 1. Grouping your requests in Burp Repeater 2. Sending all groups in parallel 🤠 Example! 👇

android hunt GOLDEN tip: if you land inside an internal webview via deep link (myapp://web?url=your_site), dump all JS bridges, apps inject native objects on window, they are callable by JS and some leak tokens, fire authed requests, etc. 1-click ato material ;]

How to find a $65,000 zero-day in Chrome V8: Meet @eternalsakura13, researcher at Zellic. - Top 3 Chrome VRP 2022–2024 - Top 2 Facebook whitehat in 2023 - Top 10 MSRC MVR in 2025 Here’s a walk through the mind of one of the world’s best Chrome researchers. Can you follow along?

Master broken access control vulnerabilities! 😎 A thread! 🧵👇

@petruknisme Ini alternya sampean kah mas 🫣

For anyone who may come across this on the dark web, I want to clarify that it is not me. The username is different from mine, and I am not involved in any criminal activity. 🙏 Regards, Petruknisme

I've published a writeup on a vulnerability I found in Google Cloud Looker: a single directory deletion bug that led to RCE and cross-instance privilege escalation in k8s.

@sw33tLie @claudeai Become my favorite screenshot tools.

I wanted a screenshot tool for macOS better than anything out there, so I built one with @claudeai Native Swift. No Electron. Annotate, record screen, scroll capture, auto-redact PII, beautify, upload to Drive & more — one flow. Free & open source forever. macshot 🔗👇

I published one of the techniques that I've been using against OAuth providers, honetly, it's led me to discover many flaws, and recently I used it to find a 1-click ATO on one of the most widely visited websites,I hope you find it useful :-) blog.voorivex.team/story-of-abusi…

Pentesters found a fully-patched WordPress site. All plugins updated. No exposed APIs. Clean. Then AI read 20 plugins' source code and found an unauth deserialization → novel Monolog RCE chain → webshell in hours. "Up to date" is not a security posture. blog.sicuranext.com/exploiting-a-p…

If you missed the talk at @1ns0mn1h4ck , our latest blog post is now available for you to explore. In this post, researchers @Hacker_Chai and @SachaKozma detail their journey to a 1-click RCE exploit on the Samsung S25 phone. Check it out here: bugscale.ch/blog/shoot-for…

It is wild to think that the bug bounty automation engine I built by myself is leaps & bounds more mature than enterprise level security products that charge 7-figures.

This blog walks through Android deep link and WebView exploitation, bypassing host validation to exfiltrate credentials from shared_prefs via JavaScript: 8ksec.io/android-deepli… Tested on InsecureShop using ADB + Frida.

@mindfulln3ss @0xObsidian_X not works tho, I once reported 2 IDOR on different endpoint on some program on @Bugcrowd. 1 report along with video already triaged by the analyst and giving it to the team, once the team step up they cannot reproduce it and was fixed. they ignore the video and close it as N/A

I was wondering why it’s taking the program so long to triage a critical (RCE) just to find out it has been silently patched What can I do?