mera

@weezerOSINT @ZackKorman Very good to learn from mistakes, happy hunting.

not going to pretend the disclosure was perfect. it wasn't, next time things will be done better. i want to thank @ZackKorman for reaching out and pushing me to think about this differently. the criticism was heard and next time things will be done better. what concerns me more than any single company is that there's no security standard for apps at all. apple will reject your app for a missing icon but not for hardcoded api keys protecting data. until that changes, vulnerable users are going to keep being failed by platforms they trust with their lives.

vaguepost "Check your emails" is not a serious attempt. Please learn from the experts and professionals giving you advice, there is a reason for these standards. You could have even made a big post saying you discovered a serious security flaw and ask help getting in contact with them. A single email(can be swept up by spam filters) to a mass public facing address and a vague post tweet is not a serious attempt. Please learn from this, everyone egging you on are random people on the internet not security people, the people pushing back and giving you advice are.

@etubruton i already attempted to warn over x which i dont like to do as it gives away to other people what apps im looking at. Everything you said i did and done these people were inactive on socials and inactive on inboxes till it went public. x.com/weezerOSINT/st…

this man called me blackhat on his timeline to 71k people. in the dms he told me he's "not claiming i released some secret technique" so which is it? he had the platform to help get this fixed. contact the company, escalate the report, connect me with the right people. instead he chose to start a public fight over disclosure timelines and guess what? the company rotated the key. 25 days of private emails got nothing. one public tweet got it fixed. Joseph Thacker you know what you was doing when you made this post, you are a grown man instigating tl wars isn't there anything else you could be doing with your time right now?

@Alex_Major1 @weezerOSINT @AnthropicAI Opus can find these kinds of things too.

@weezerOSINT Does @AnthropicAI know that you are using their Mythos LLM to basically perform random hacks and boast about them on X?

It really doesn't matter. You are revealing exploits publicly, it doesn't matter if it's trivially easy. You are supposed to report it, if they ignore you, go contact someone with more clout like a security researcher or journalist. In any case, so you sent someone an email less than a month ago, and that's it? No serious attempt to inform them then.. In any case you can point sonnet at many sites and find vulnerabilities like this even, yes there is a lot of totally irresponsible practises going on with a lot of new and even old apps(due to the rise of vibecoding). I highly recommend that in future you put a bit more effort into contacting companies, automated spam filters can easily set aside what you email them. If you need help getting company's attention I'm sure there's journalists or other people with influence that can help. By the way @AnthropicAI @trq212 are you happy with Claude Mythos being used like this and someone leaking all the details on the web because a company didn't respond to a single email less than a month ago?

@MeraMeraska @Itx_Shad0w this data extraction technique is like step 1 for any1 doing mobile pentesting, literally a 12 year old can unzip an ipa, i am not arguing over loopholes with you this is doing nothing but going backwards

@weezerOSINT @Itx_Shad0w It doesn't matter that you censored anything when you revealed how to trivially extract the data.

the DOJ revised their CFAA charging policy in 2022. it says federal prosecutors "should decline prosecution" for good-faith security research, defined as accessing a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw, where such activity is carried out in a manner designed to avoid any harm to individuals or the public." i censored all user data, emailed the company first, and asked them to fix it. thats textbook good faith justice.gov/archives/opa/p… and thats from mythos

But you now disclosed to the world on a public forum how to get to that data. Essentially, you discovered a vulnerability, and after the company didn't reply within a couple weeks you leaked it to the public. Did you try to inform Security Researchers about this that could've gotten the company to listen more? What you are doing is irresponsible. I have also discovered vulnerabilities before, I never showed it to the public even if the company never responded. At that stage just send it off to security researchers. You seem to be sharing this publicly for clicks more than a concern about safety.

i censored every piece of user data. no emails, no names, no journals. the API key ships in every copy of the app on the App Store, 2 million people already have it on their phones. the risk didnt start with my tweet i emailed them april 7. no response. tweeted at them. no response. i have over 60 vulnerabilities across different apps that i never posted and never made a dollar from. where are you getting "quick money" from? i asked them to fix it for free "move on" means 357,939 users addiction recovery journals stay in an open database forever because the company couldnt be bothered to reply. thats the outcome you're defending right now

@GabrielEpsteinX @MiddleEastBuka

Palestinian Islamic Jihad (PIJ) identified 43 more slain commanders, totaling 209 announcements in the past 2 months. Most of this tranche are platoon-level commanders and were killed in the first year of the war. The list includes 6 workers for the Hamas-run government. 🧵

@LebarmyOfficial @Easybakeovensz bomb casing

عملت وحدة مختصة من الجيش على تفكيك خمس قنابل طيران غير منفجرة من مخلفات العدوان الإسرائيلي في منطقة حارة حريك - الضاحية الجنوبية، ونقلت ثلاث منها لإجراء اللازم بشأنها، ويجري العمل على نقل القنبلتين الباقيتين. تدعو قيادة الجيش المواطنين إلى عدم الاقتراب من الأماكن المتضرّرة، وإبلاغ أقرب مركز عسكري عن أي جسم مشبوه. #الجيش_اللبناني #LebaneseArmy shorturl.at/fQhBb

@EpicFuryMap There is still stuff from the 12 day war no one put up publicly. Even without imagery restriction, I think there's hundreds of targets still not out on any osint map and may never be

This is the result of imagery being restricted. An IRGC base in east Tehran was wiped out before March 17 and no one said a word. No PR. No claims. Nothing. We only found it nearly a month later… in low-res satellite imagery. If this matters to you, please share it.

@Soureh_design2 @talhagin this real?

The B1 bridge was bombed on the nature national day when Iranians all are on picnic.. as you can see many were around the bridge

@natsecboogie @Shayan86 Yeah, I've also come to the conclusion that's the best way to do it. State video is authentic and geolocated but that proof won't be shared publicly due to risk to person filming's safety.

@MeraMeraska @Shayan86 Further, you can say as a person or organization that you independently verified w/ other persons or organizations that the information & general location is accurate to add further validity to what you are saying.

A kind note to fellow open source researchers: Do not post the coordinates of videos from Iran that reveal the home addresses of people, particularly if they're chanting anti-government slogans or showing dissent. It could put them at risk of being identified and detained.

You're right, not everything has to be, but you should assume someone will once it's on mass social media. Public geolocators are a fraction of what's going on behind the scenes, and their purpose is typically to help the public(and journalists, and institutions) know that footage is real. In some cases that can put people at risk, and yes judgement should be used.

@MeraMeraska @Shayan86 Not every video released needs to be geolocated. Not every photo shared needs to end up on the @GeoConfirmed or @FaytuksNetwork map. There are things that are more important than that & geolocators have a responsibility to use judgement on whether or not a geo will do harm.

The value is the video can be deemed authentic. And imo regardless of Mitch doing it or not, people (including irgc) will geo it, so I mean that goes without saying. There's people going this privately for all kinds of uses, including people wanting to do the protesters harm. When you protest in a large city people including irgc and police will know about it.

@MeraMeraska @Shayan86 What value does providing coordinates or a proof/laydown add at the end of the day wrt those two videos? Further, if you told someone that if they were going to share their video their location would be compromised & lives threatened, we imagine many would not release the video.

@ChrisOsieck @Shayan86 Thanks for the effort, will read this

@MeraMeraska @Shayan86 I was involved in the following article in 2023 on ethical dilemmas during digital research. I think it’s valuable for every researcher to read. The main point is that one should put safety of the people that are living under war, dictatorship, or occupation, as a priority:

@hey_itsmyturn Probably just these flaring, unless we have some fire footage

@hey_itsmyturn How sure are we those are new fires and not just heat anomalies that have always ocurred in this area?

Yeah it's tough because personally I'm one to say "If it's online, we can geolocate it" but I understand the risk to individuals here. How would you suggest then something like the above is handled. If we geolocate an incident being video'd and publicly shared of people chanting death to the IRGC, how can we share with the world that we verified that it is in Tehran without putting anyone at risk? Perhaps you have some ideas, I have thought about Something like "We have confirmed that this is in x city, exact proof is available to accredited journalists in private" or something? Some people at the BBC did geolocate(or attempt to) events like these and then deleted it later, so I'm also curious how you guys will handle things like these.

@MeraMeraska Not referring to any specific video, just a general point. And you're right, they definitely know their country perfectly well, and the people who film those videos are aware of the risk. It's just best we don't make the IRGC's job easier for them if we can.

"If your audience doesn’t trust you enough when you say you can confirm this" a separate point but you shouldn't trust anyone on twitter, always verify. You are right about people's safety though. I just doubt Mitch helps the IRGC much with this as if they dont know their own city, but with things like this maybe it's better to be safe than sorry. In any case please raise your points to him, he might change his mind or change how he posts. He has geolocated protestors being gunned down before too, which helps show the world about those actions, don't think of him as an IRGC spy.

@MeraMeraska @NiohBerg @Mitch_Ulrich @FaytuksNetwork @GeoConfirmed @Faytuks Bro, you can do the due diligence and find the exact coordinates, but no need to publish them! If your audience doesn’t trust you enough when you say you can confirm this, do something about it other than give the IRGC the coordinates of people’s homes. People’s safety first!

Geoconfirmed. Chants of protestors can be heard throughout Chitgar Town in District 22, Tehran, Iran. POV is approximately 35.74879, 51.18685 with multiple distinct buildings visible along with unique features of the complex. @FaytuksNetwork @GeoConfirmed

"You can confirm the location" How does one do this without being another "Trust me bro this is definitely in Tehran" propaganda twitter account. And much of the proof of so many Iranians being slaughtered is thanks to people like @Mitch_Ulrich and others mass geolocating public events like this one. I think people have a point about the homes thing, please engage with him constructively over it.

@MeraMeraska @NiohBerg @Mitch_Ulrich @FaytuksNetwork @GeoConfirmed @Faytuks You can confirm the location without publicly stating the coordinates! Media coverage has nothing to do with coordinates being published! Also how much more proof we need to provide to the world after the slaughter of tens of thousands of Iranians in their journey to liberation?!