Alexandre S.

@CertSNCF Phishing en cours sur httpx://connect-sncf.net/

@I_Am_Jakoby Reminds me of reaching the docker daemon via a CSRF which only works in FF... 🤔 mrsheepsheep.me/posts/docker-x…

Firefox RCE POC You visit web page I get shell. The end. chrome blocks this, firefox does not no exploits, no downloads, and no user interaction

Retex Pentest Telecom - Box 2 Backbone... Et + ! youtu.be/EknjXW1dyF4?si…

Je preshot avant la catastrophe : je n'étais pas maître des mes actions, ni du contenu diffusé dans le reportage 🫠 Il ne représente pas la réalité de notre métier, mais bon, faut que les aînés puissent comprendre...

Next-level Redteaming

@Nishacid Quelques suggestions : maps.app.goo.gl/2K7JuP79QTFf6K… maps.app.goo.gl/gnMHMSKYLiCdfL… maps.app.goo.gl/UjsGfAg3vroLxW… maps.app.goo.gl/n9h3XHF9dQdxdG…

Salut les Français 🇫🇷 J’aimerais vous partager mon nouveau projet (hors cyber) pour enrichir un peu votre culture et mettre en valeur notre patrimoine. Cette carte recense les meilleurs noms insolites de villes, villages et communes en France. nom-dune-ville.fr Have fun😁

@podalirius_ Exact same experience on official login page phishing, marked as "important"... Got a bounty however, after 5 months of silence from MSRC. Won't report ever again.

Got the exact same answer from MSRC two months ago. My vulnerability was not critical so no CVE, no bounty … but they have patched it a few weeks later This is genuinely concerning as security researchers have literally no reason to report issues to MSRC if that continues

@Print3M_ @defcon @RedByte1337 Meanwhile at @dcgparis x.com/dcgparis/statu… github.com/mrsheepsheep/i… 😎

"Turning Microsoft's Login Page into our Phishing Infrastructure". Super hot research from this year's @defcon by @RedByte1337 🔥🚨 #phishing #redteam #defcon media.defcon.org/DEF%20CON%2033…

@I_Am_Jakoby The acknowledgements page has not been updated since March. Maybe they only update it once every 3 months or so. You did nothing wrong. MSRC don't care, they won't even try to retain you from leaving. Build upon your research, go public, do talks, make it your own.

Keeps getting worse and worse Now I find out im not only not getting paid for that bounty but im not even getting a CVE for it. The "acknowledgement" is a random web page on their site. They messaged me and gave me the url for the CVE page and said my acknowledgment would be there, and now it's just not.. Thought I would at least have something to put on the resume. Things just get worse every single day. I saved them millions in fines if all that data got leaked. This is so wildly disappointing.

@UK_Daniel_Card .. such as bypassing MFA policies during redteam engagements ! Enroll your own token when the user does not own one. It's more trusted than push notifications (in the case of Okta), and essentially makes it a 2FA backdoor.

I think a number of people don’t get how this works….. But these are fantastic for some use cases!

@AtharvaKetkar8 @PinkDraconian @Bugcrowd Bugcrowd is still better than MSRC though 🙃

@MrSheepSheep @PinkDraconian @Bugcrowd Bugcrowd be hiring idiot triagers, Hackerone on the other hand has come a longggg way when it comes to triaging, their team has legit improved. But if you ask me I'd skip these both and try Intigriti or YesWeHack instead

Please help me understand how the @Bugcrowd triage works. I've provided - Video PoC - Python file that spins up an attacker server to showcase the exploit Does @Bugcrowd have some requirement for me to host the exploit server? 1/2

Hello, small error on the date the meetup will be held on May 19. Program: 🎙️ "Your cloud identity providers are phishing platforms" - by @MrSheepSheep 🎙️ "Understanding EDRs to better bypass them" - by CursedFRA 📍 Oculto, 27 R. Quincampoix, 75004 🕖 19:00 See you there !

Here's the talk for the next meetup! 🎙️ "Your cloud identity providers are phishing platforms" - by @MrSheepSheep 📅 19/04 📍 Oculto, 27 R. Quincampoix, 75004 🕖 19:00 Registration on our website

If you're interested in YARA and Sigma rules linked to this research, check them out on our dedicated repository: github.com/synacktiv/syna…

@I_Am_Jakoby It took 5 months. I requested an update every week. No communication, no details about what was fixed. Incorrect bounty amount in the end. Worst experience I ever had, I consider not reporting again.

So update on my critical bounty I reported to Microsoft and a question I submitted the initial report on the 23rd, and yesterday the 28th I added an addendum for an escalation I found for further exploit, but I haven't really received much feedback from them yet. Just a reminder not to share any personal information I may or may not have stumbled upon 😉 How long is it usually before you get your first response? Status shows it's still in Review/Repro

@hyusapx @freemanjiangg Problem is, the audio source (screenshare) cannot be delayed because it's being sent to the app. A trick could be to pull audio from a tab and share it to another, mute it and replay the synced buffer from the app (if mute doesn't mute the screenshare), or some trickery like that

@freemanjiangg might give a shot later 👀👀

No speaker? No problem. I built Beatsync — an open-source web audio player for high-precision, multi-device playback. With millisecond accuracy, turn any group of devices into a full surround sound system.

@ippsec @odiesec You might also want to have a look at IdP Passthrough / Prefill phishing ;) github.com/mrsheepsheep/i…

Device Code Auth is certainly a phish I could see myself falling for, as it blends in with a regular meeting invite and doesn't require entering my password. If you don't know what a Device Code Phish is, check out this video @odiesec and I did. youtu.be/Y8SSYLEq15Q

I briefly documented the technique for anyone interested. It applies to pretty much all cloud identity providers. github.com/mrsheepsheep/i… I'm essentially extending @_xpn_ incredible work, focusing on the phishing part :)

Actually, a similar attack vector (OktaJacking) was found by PushSecurity : pushsecurity.com/blog/oktajacki… But it required knowing usernames beforehand. Using an LDAP agent, that's not required.

Don't log in to unknown Okta tenants. Double-check organization URLs before logging in. It is possible to abuse Okta to harvest cleartext credentials sent through the login form.