Sadra

Announcing a new Claude Code feature: Remote Control. It's rolling out now to Max users in research preview. Try it with /remote-control Start local sessions from the terminal, then continue them from your phone. Take a walk, see the sun, walk your dog without losing your flow.

@omidxrz 🔥🔥

We got permission from the Samsung Security team to disclose this uXSS that we found in Samsung Browser, it was assigned a CVE (CVE-2025-58485) and patched. Here is the PoC, expect the write-up in the next upcoming days.

@AmirMSafari 🔥🔥

Thanks for participating in this challenge! I analyzed the qs parser source code and wrote about the inconsistency between the backend and frontend query parsers, along with two possible solutions. Hope you enjoy it! blog.voorivex.team/when-two-parse…

Voorivex's classes aren't just classes there's a smth BEYOND class. Special tnx 2 Sadra 4 this gifts hope to more bugs and more bounties 4 u, I love these books 🩷🫶🏿 @MrMSA16 @voorivex I wanna mention one of ma classmates who gave me his gift but don't have his ID :(

@AmirMSafari @nowaskyjr Boom💥

Nicely crafted payload for the onbeforematch event handler with @nowaskyjr. I used it to build a payload that bypasses Cloudflare WAF. The interesting part? If you remove }_, the payload stops working :D

@ImAyrix 🔥🔥

For the past year, I've been using a private wordlist generated from actual bug bounty reports. I grabbed disclosed report texts by simply appending .json to the report URLs (as shown below) and fed them into fallparams to mine parameters from the included requests and snippets.

@YShahinzadeh 🔥🔥

this one is brilliant! you may have seen GIS OAuth during hunting (I have, many times), XSS + ATO. I recommend reading and studying this write-up (author does not have X acc)✌🏻 blog.voorivex.team/not-so-dirty-d…

@voorivex 😂😂

یالله بچه‌های Voorivex. تاریخ تاریخ تکرار میشه 😎

new to Google VRP, seems google does not define the bounty amount right after triage, the bug is on an AI product (I cannot name it here), I'm not sure how much bounty should I expect here

@AmirMSafari On fire🔥🔥🔥🔥

If a CSPT bug can't be exploited on the same origin, you can pivot it to another one. Cloudflare Image Transform can act as a cross‑origin gadget to reach more sensitive endpoints on different origins - you can read more about it here ;) blog.voorivex.team/cloudflare-ima…

Due to the repeated screw-ups and zero transparency around bans by @Hacker0x01, I’ve chosen to leave with dignity. My account is now fully deactivated and to be removed. If you need my services, I’m still available at @Bugcrowd @intigriti @immunefi @HackenProof @StandoffBB

I’ve been hunting on H1 for almost 3 years, ranked #18 in 2025, have always tried to contribute positively to the hacker community. I’ve earned around $500k in bounties and was on the road to $1M. Yet I don’t even have HSM, and I feel I haven’t been recognized as I should 1/4

@Hacker0x01 is now banning people without explanation or providing how the terms and conditions were violated. While other platforms are advancing, H1 revolutionary new vision is to track hackers on social media, make assumptions and ban them without a real proof.

@YShahinzadeh 🔥♥️♥️

just crossed 10k on H1

@jusxing 🔥🔥🔥

Last month, I found a 0-click account takeover with a very simple match-and-replace trick Sometimes applications have different API endpoints for different functions. For authentication, developers often use session cookies or exchange tokens. In some cases, if the main session is deleted, the application falls back to using another cookie or a unique ID in the headers for authentication By inspecting the JavaScript and requests, I noticed this behavior. If the main session wasn’t available, the app would accept the unique ID in the header and automatically set new cookies So, I deleted the main session and simply replaced the header with the unique ID — which led to account takeover

@omidxrz Nice work🔥🔥

after a long time, I decided to write a blog post about one of the old bugs I found in an Android app, which finally led me to achieve 0-Click Mass Account TakeOver it's now published, you can read it here : blog.voorivex.team/0-click-mass-a…

after many unlucky moments in bug bounty, july was fun with interesting findings, I made around $30k bounty, mostly from XSS and OAuth in august, I've planned to dive deeper into client-side stuff