Shlomie Liberow

Visit target.com --> SSO Visit target.com/admin--> login Reviews Javascript --> if (data == 'SUCCESS') { location.href = "/admin/<snipped>?uname="+username+""; } Visit: target.com/admin/<snipped>?uname=admin Admin Access... #bugbountytips

“Young relatives forced to commit sex acts on each other” The New York Times didn’t want this to be the conversation. The editors signed off on fictional raping dogs instead. Read what happened on October 7.

@H4cktus @Jayesh25 @Hacker0x01 Was such a joy - appreciate the Collabs!

Lisbon was unreal. Hacked alongside @Jayesh25 and @Shlibness and somehow walked away with the Exterminator award for Most Impactful Report. Met so many great people. Huge thanks to @Hacker0x01 and the customer for putting it all together 🙌

Waiting for the bingo card response of “no place for antisemitism in our society” from politicians and media who have helped stoke this crisis

Growing up in the UK, I’ve never had someone approach me and say “what are you doing around here” for being black. This happened to a Jewish man who was simply doing his job. Combined with the arson attacks, British Jews are targeted in ways people like me aren’t. A sickness.

@GergelyOrosz landh.tech/depi/ takes a newer approach to pick up supply chain threats before they're even exploited CC @0xLupin

What are vendors that offer scanning of PRs or repos to protect against malicious dependencies? I know of Sonar (Advanced Security), Socket .dev, JFrog. What else do you know of or use and what does it do? (At some point, you want more than just pinning an old package version)

Uhhh

@0xLupin is a one of a kind founder and from personal experience, Depi is the real deal. One to watch!

It's quite something to see this all written down:

@Arl_rose Was such a joy working with you throughout the years, Ari. The dedication and ability to just make things happen was out of this world and LHEs leveled up with your involvement. Keep rocking it 🔥🔥

After almost seven years, my journey at HackerOne comes to an end today. This has been one of the most impactful experiences of my life, and I wanted to share a bit more about the ride. It all started in 2018. I had a dream of bringing a Live Hacking Event to Argentina after seeing the magic of the community in Las Vegas. I am forever grateful for the trust placed in me back then. Someone took a chance on a random guy from Argentina and made my hire happen, and I wouldn't be where I am today without that shot. In the years since, I have been lucky enough to build things from the ground up. I was tasked with building the pentest community from scratch when we launched the product, and seeing it grow into a home for hundreds of professional pentesters has been incredible. My biggest passion project was always focused on a worldwide hacking competition. My early pitches for a regional tournament eventually evolved into building a global network of hackers instead. We started that program with just seven people. Today, I leave a network of 90 ambassadors across 45 countries. That network finally allowed me to execute the Ambassador World Cup. Watching that tournament evolve into a global phenomenon that paid out 2.4 million dollars in its latest edition was a dream come true. From the finals in my hometown of Buenos Aires to the trophy presentation in Dubai, seeing hackers find their first bugs through this program has been the highlight of my career. After 20 Live Hacking Events as an employee, traveling the world and meeting the community in person kept my passion alive for years. None of this was a solo effort. I was only able to be creative because my team was the best in the business and I was given the room to run. Thank you to the global community of hackers and the rockstars on the community team for being such a massive part of my life. I am moving on to a new chapter to do some fun stuff. More to come on that soon. Thank you for everything and stay in touch!

There was an air of inevitability about it. Nobody knows when or where the next antisemitic outrage will emerge, but with every fake post about Israel killing babies, with every biased BBC report whipping up the animus of viewers, with every chant of “globalise the intifada” on university campuses, death comes one step closer. Now, it would appear it has come to Bondi Beach. That Australian paradise is always packed with partygoers, joggers, picnickers and the elderly, enjoying the sea and the summer sun. In the last few hours, it was the location of a family Chanukah party that reportedly attracted about 2,000 people. And a mass shooting... My @Telegraph column today. telegraph.co.uk/news/2025/12/1…

Which model suggested this is the question

UN on Francesca Albanese: “The special rapporteurs will say what the special rapporteurs say. For the Secretary General, it is very clear that journalists should never come under any violence, wherever they may be, whether that violence is physical, whether that violence is verbal, whether they are intimidated.” — @UN_Spokesperson in response to this query by @Mike_Wagenheim @i24NEWS_EN: “Francesca Albanese, who continues to put the “special” in “special rapporteur,” weighed in recently on the attack on an Italian media outlet which led to 30 arrests for vandalism. While she condemned the attack, she said: “This should serve as a warning to journalists to go back to doing their job." Which was condemned by a wide swath of the Italian political spectrum, as basically an intimidation tactic on the press there. The Secretary General just stated yesterday, I believe that you know, “journalists need to be protected from this kind of intimidation.” Any thoughts from the Secretary General or his office on the latest comments?”

Pretty neat and interesting how much of a fine line before it goes overboard and attempts to follow your instructions

LLM driven bedtime routines #gemini3

Zero surprises here. Attack vectors don't need to be sophisticated as much as just needing to be persistent and trying all variants possible.

@S1r1u5_ Yup. I'm using it and there are some funky edge cases!

supapwn

Compliance be compliancing

I’ve been training LLMs to recognise vulnerability chains and revisiting my favorite bug bounty reports to understand what patterns they can be taught to spot. Let’s look at this example of a ticketing platform's booking flow that leaked millions of PII records. This wasn’t  a zero-day or some sophisticated exploit, but a combination of  4 separate bugs that any decent scanner might find and file as Low/Medium severity. However, in combination, potentially genuinely damaging. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟭: 𝗧𝗵𝗲 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗔𝗻𝗼𝗺𝗮𝗹𝘆 (medium severity) Most of the ticketing platform’s site used cookies, but the booking API switched to a custom header for user identification. Whenever auth does something unexpected, you want to pay attention. I was able to change the header to a different user's ID and see their data, although only partially, it was missing emails and other fields. This bug demonstrated a routing issue, but incompletely. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟮: 𝗧𝗵𝗲 𝗣𝗮𝘁𝗵 𝗧𝗿𝗮𝘃𝗲𝗿𝘀𝗮𝗹 (medium severity) The ticketing platform’s API ran on Apache, which handles file paths in specific ways. I sent ../../../../api# as the header value - telling the server "go up four directories" and ignore everything after the #. The response changed timing and structure. It worked, but blindly - I was moving through directories but couldn't see where. This bug was confirmed exploitable, but I needed a way to make it meaningful. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟯: 𝗧𝗵𝗲 𝗘𝗿𝗿𝗼𝗿 𝗠𝗲𝘀𝘀𝗮𝗴𝗲 (low severity) I sent an invalid user identifier to a different endpoint on the platform to see what would break. The error response included: "self":"/api//;user={xxxxx}/profile" This leaked the internal path structure - how the system organizes and stores user data. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟰: 𝗧𝗵𝗲 𝗦𝗲𝗾𝘂𝗲𝗻𝘁𝗶𝗮𝗹 𝗜𝗗𝘀 (informational) While testing other endpoints, I noticed another identifier type in the responses, tied to accounts, not users. These IDs were sequential: 3443123, 3443124, 3443125 ━━━━━━━━━━━━━━━━━━━━ 𝗕𝗿𝗶𝗻𝗴𝗶𝗻𝗴 𝗜𝘁 𝗔𝗹𝗹 𝗧𝗼𝗴𝗲𝘁𝗵𝗲𝗿 For Real Impact Four findings. Four tickets. Different teams. Different severities. But combined, a major breach of PII. Here's the chain: X-User-ID: ../../../../api//;account=3443125/profile# This combines: • Path traversal escapes the directory • Internal structure from the error maps the route • Sequential account ID replaces the random user ID • Access control weakness reads the data The result: Full user profile is revealed: name, DOB, address, email, phone, and more. In other words, a Complete database enumeration. ━━━━━━━━━━━━━━━━━━━━ 𝗧𝗵𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻 A scanner may find these issues in isolation but can't see that Medium + Medium + Low + Info = Critical breach. This is the direction LLMs can work towards with the right context: models that recognize not just individual bugs, but the investigation paths that connect them. #BugBounty #Security #VulnerabilityManagement

Day in the life... #claudecode