Rotem Reiss

אמלק: אואסיס סקיוריטי חשפו פירצה בקלוד, שעוקפת את מנגנוני ההגנה שלו ומאפשרת לחשוף דאטא רגיש בעזרת - איך לא - פרומפט אינג׳קשן. הפירצה הזו מרתקת מכל מיני סיבות, אבל נכון לעכשיו, אני חושב שהאימפקט של אופן רידיירקט עלה משמעותית בעידן של אייאיי וסייבר. מה? על מה אתה מדבר? קדימה >>

👼GatewayToHeaven (CVE-2025-13292). I discovered a cross-tenant vulnerability in @GoogleCloud's #Apigee, allowing me to access other organizations' data (and sometimes even plaintext JWTs of end users). Below is the full breakdown of the exploit chain⛓️

אמלק: חוקרי אבטחה ב Cyera (כל הכבוד @dorattias!) מצאו פירצת אבטחה בדירוג 10, שמאפשרת להריץ קוד מרחוק (RCE) בפלטפורמה של נ8נ (n8n). מה זה נ8נ? מה המשמעות? מה הפרטים הטכניים? לבקשתכם >>

Just released SmuggleX v0.1.0 🚀 ⚡️smugglex <TARGET> <FLAGS> 🔆 <TARGETS> | smugglex 🏷️Rust-powered HTTP Request Smuggling Scanner. ⭐️ Github: github.com/hahwul/smugglex I'm going to keep improving the detection and exploiting sides!

Another 30 minutes till the CTF start, are you ready ?!

Huge shoutout to our BSidesTLV 2025 sponsors ❤️‍🔥 You power the talks, the villages, the hacking, and the community. 📅 11.12.25 | Tel Aviv University 🎟️ Tickets almost gone → bsidestlv.com/register/

BSidesTLV 2025 Villages are coming in hot: 🔧 Hardware 🤖 AI Hacking 🕵️ Bug Bounty Live hacks, deep-dive sessions, and hands-on chaos all day long. 📅 11.12.25 | Tel Aviv University 🎟️ Tickets almost gone → bsidestlv.com/register/

@BsidesTLV is almost here. If you want the best bug bounty stories, top hackers, mentors, and swag - join us at the Bug Bounty Village. Keynote by @ehrishiraj, plus awesome talks and special scopes from leading programs. See you there!

BSidesTLV is only TWO WEEKS away! 🔥 Get ready for cutting edge research, hands on hacking, community vibes, and the most exciting security event of the year. If you have not grabbed your ticket yet, now is the time. 11.12.25 | Tel Aviv University See you there! 🚀

Just learned a very interesting trick from @0xacb’s challenge at the @Bsideslisbon CTF. If an application uses "magick convert" to modify an uploaded image, it may be possible to achieve LFI by using "text:" One of the file formats supported by ImageMagick is "text",

The details on the CVSS 9.9 request smuggling in Kestrel are finally out! Great find by @praetorianlabs. praetorian.com/blog/how-i-fou…

It’s here, and it's free: Credential Monitoring from ProjectDiscovery! Detect leaked credentials tied to your domains or emails from millions of malware-stealer logs. • My Leaks / Employee / Customer classification • Domain verification + API + CSV/JSON export Start monitoring now: projectdiscovery.io/blog/leaked-cr… #infosec #cybersecurity #credentialmonitoring

They were murdered by strangulation. Palestinians kidnapped them then murdered them with their bare hands. They then mutilated their bodies to try to cover it up. Gazans strangled two babies to death.

Update: Yarden Bibas has now asked to let the world to know what happened to his baby boys in detail. They were strangled to death with bare hands, then had their bodies mutilated to fake a different cause of death. This was not done by Hamas, but other Gazans.

If you thought the level of evil in the world wasn't enough, the IDF has now revealed that the body returned to Israel today was not Shiri Bibas. They also revealed that Kfir and Ariel were brutally murdered by Hamas while in captivity. WHERE IS SHIRI?!?!

📢 Live Workshop: Ready to Level Up Your App Security Program? 📢 Building a strong app security program doesn’t have to be a headache. Learn how @Playtika_Ltd's Product Security Group secures dynamic systems against evolving threats — and how you can too. 🎯 What you’ll learn: ✅ How to build security into your dev workflows (without slowing things down) ✅ Why a risk-oriented approach beats traditional DevSecOps ✅ Practical tips to engage your developers and avoid burnout ✅ Real tools and frameworks that actually work 💻 Who should join? Developers, security pros, R&D teams, and CISOs who care about staying ahead of threats and improving your security posture. 📅 RSVP today! buff.ly/3DPsidj

@IceSolst I couldn't agree more. You can break things more effectively when you understand how they were built, and you can protect them better when you know how an adversary looks for ways to get in.

I was in a redteam bubble for over a decade. All we talked about was popping shells, getting domain admin, and how trash every company’s security was. When I moved to the blue team and ultimately went into leadership, I realized there was so much more to security than breaking things. It changed my perspective to work closely with devs, understand their perspectives deeply, and work with all skill levels from beginners to legendary C++ programmers. I think the most valuable experience a redteam purist can have is work on shipping a feature as a dev, within the same constraints they have, with teammates of varying skill levels. The best redteamers I have worked with understand this.

@shakedko הכי קרוב זה להגיד לו לייצר במרמייד אבל זה גם בדרכ שבור וצריך התאמות ידניות.

יש כבר פתרונות טובים לג׳פטה שיודע לג׳נרט דיאגרמות/פלואו טובים מטקסט/קוד?

@shakedko גאוני!

הפעם סיפור קצת שונה, יש שיגידו שזה לא סייבר קלאסי אבל נחכה לסוף ונגלה. אמלק: האקר הצליח להרחיק לצמיתות שחקנים במשחק Call of Duty (קוד) על ידי שימוש במנגנון שבודק אם הם השתמשו בצ׳יטים ורימו, למרות שבפועל הם היו חפים מפשע. אז למה זה חשוב ואיך זה קרה? מתחילים >>