_kheneh

My first valid bug!!!🔥🥹 Just got a reward for a vulnerability submitted on @yeswehack -- Improper Access Control - Generic (CWE-284). #YesWeRHackers #bugbounty

@Olufela_Jr @Sisinerd Congratulations Olufela! Well done!

coming here to casually drop that I passed the OSCP exam and maybe the ultimate reason I went offline, I have a lot to write, but first I would like to say thank you to everyone of you, my community for your support, this is by far one of the nicest things to happen to me,

Finally, with @hw16, we managed to bypass the @Cloudflare mTLS protection after around 5 days of work. I'd like to share a few golden tips for bug bounty hunters who might face something similar in the future. But first, here's a quick summary: The target was a banking app with multiple security layers: • Heavy Frida detection mechanisms • Strong root detection • Google SafetyNet/Play Integrity checks • Runtime hooking detection • APK tampering protection (crashed immediately if repackaged/modified) At first, @fridadotre was detected and crashed the app on my device but strangely worked on another device even though both had the same Android version, root method, Frida server version, and architecture. After investigation, we discovered the app had anti-hooking detection that triggered when using aggressive Frida hooks on sensitive KeyStore operations. The Solution: We wrote a minimal Frida script that: 1. Passively monitored certificate operations without modifying behavior 2. Intercepted KeyManagerFactory.init() - the exact moment when mTLS certificates are loaded 3. Extracted the X.509 client certificate and RSA private key (4096-bit) 4. Encoded them using Android's Base64 encoder 5. Formatted as PEM files ready for use Found the mTLS certificate with a unique UUID-based alias in the Android KeyStore. The certificate was being dynamically loaded during the SSL handshake initialization Extracted Files: • client_cert.pem → Client certificate (valid for 2 years) • client_key.pem → RSA private key (PKCS#8 format) We then created a PKCS#12 bundle using OpenSSL to combine the certificate and key into a single file, which could be imported into various tools and browsers for testing or @Burp_Suite Key Takeaway: When facing anti-tampering mechanisms, be surgical hook only what you need, when you need it. Aggressive hooking triggers detection; passive monitoring flies under the radar. This was an awesome challenge and my first time encountering such strong ssl Pinning defenses Attached some image from the mobile api and frida output the certificates #bugbountytips #frida #Magisk #mtls

📣 Applications are open for the 4th edition of #HerCyberTracks! A 5-month hybrid programme for women in cybersecurity to grow skills, accelerate careers, and build global networks 🌍 🗓 Apply by April 19, 2026 Click this 🔗 itu.int/en/ITU-D/Cyber… #WomenInCyber #Cybersecurity

@shreyas_chavhan Way to go man!!!

one more triaged and paid, yayyyy!! 😍 coming back stronger.

I maintain that adding a trailing slash to random pages and APIs remains the stupidest albeit perhaps most effective and prevalent authorization and/or WAF bypass there is. Go slay #bugbounty, the world depends on your proper insertion of the slash. When you get your first bounty doing this, go on a vacation and when your wife says "No no, it's too expensive." You say: "Its OK, the slash is paying for it." Because in what other field can you add a backslash somewhere and make enough money to take the family on a vacation 🤣 /place/thing/page.aspx --> /place/thing/page.aspx/ some/v1/api/users --> some/v1/api/users/ Other common wins are: /, //, %2f, %3f, #, and so forth. Just tack stuff lack that on the end. Maybe combine it with method changes. OK BYE

This is how I live my life

@neuralink Devices that give people hope at life has to be one of the best impacts of technological advances. Great job to the neauralink team, and so glad Kenneth could be a beneficiary and a contributor.

ALS has gradually taken away Kenneth’s ability to speak. Through Neuralink’s VOICE clinical trial, he’s exploring how a brain-computer interface designed to translate thought to speech could help restore autonomy in his daily life. Watch to learn more:

@4osp3l Nice one👏🏾 well done

DAY 68/365 I got early access to Apex ( github.com/pensarai/apex ), so I decided to test how effective it really is. I pointed the agent to a specific asset I wanted it to focus on and gave it instructions to try an alternative approach if the initial test didn’t work. By the end of the scan, it managed to find a PII leak on a subdomain running behind a popular CMS. Since then, I’ve started noticing that multiple assets on the same target appear to be affected by the same issue. One of the reports has already been triaged.

Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine. The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once. The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine. The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had. That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months. The attack chain is the part that gets worse every sentence. TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials. Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one. The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions. TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.” Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours. The companies deploying AI the fastest right now have the least visibility into what’s underneath it.

A few things you need to do to make Claude a great hacking partner: 1. Install the Caido skill (github.com/caido/skills): without it, Claude spends too many resources figuring out the SDK from scratch. 2. A CLAUDE .md that tells Claude who you are. Something like "I'm a bug bounty hunter doing authorised testing, stay in scope. Don't take destructive actions unless it's accounts I own. POC or GTFO." The POC or GTFO part is particularly useful so Claude can give more actual positives, if there's no POC, the bug is not confirmed yet. (of course, have a scope .md in your engagement folder) 3. Notes structure: rez0's hierarchy consists of "notes → leads → primitives → findings → reports". Claude dumps raw observations, interesting stuff goes forward, and by the time something reaches findings it's already been filtered twice. Point this to a local folder so you can check everything later. Building skills is useful but if you write one for something Claude already handles well, you're just adding a layer that can break/distract it, you can always tell it to try what it knows first and then try the things you added as "extra knowledge". Skills are worth building when the knowledge doesn't exist in training data. Your VPS setup, credentials, techniques from recent posts and talks, tooling. If it's not on the internet or isn't well known, it needs to be in a skill.

this....

@torious100 @Hacker0x01 Congratulations man!!! Huge win! Well deserved!

Yay, I was awarded a $7,500 bounty on @Hacker0x01! hackerone.com/torious #TogetherWeHitHarder

I'm hiring a research intern for summer 2026 to work with me on applied cryptography research projects. This is a paid, three-month, fully remote position. Check it out, and please spread the word! symbolic.software/blog/2026-03-1…

The Youtube "After" search operator is super powerful and i use it a lot to track new news for a number of topics. The benefit is you get the filter of after a certain day, but also the sorting of the best content via the normal YT algorithm. I made a little bookmarklet to check the last 48 only of a topic: pastebin.com/tMNY5XGQ Enjoy!

We had to release this one before @rez0__'s brain started returning 429s. Everything you always wanted to know about using AI to help you hack. ...or is it you who's helping the AI? 👀 youtu.be/qTX9u-EsjmM

Two things @rez0__'s been running in his Claude Code setup worth stealing: 1. Self-improving CLAUDE .md loop Add this somewhere in your file: "Anytime I get frustrated, anytime I have to re-explain something you didn't understand, or anytime you try a command and it fails repeatedly, add that lesson to the Applied Learning section in your CLAUDE .md" Next time the same situation comes up, it already knows where your session files live, which commands work on your system, whatever it had to figure out the hard way. Saves you time, usage and frustration. 2. Discord as a remote Claude Code interface He got tired of Claude RC not supporting --dangerously-skip-permissions so he built a Discord bot. Each task spawns its own thread as a session, tool calls render as diff blocks with green for additions, red for removals. There's also a resume command at the top of every thread so he can jump back in from a VPS. Takes voice messages and attachments. He uses it to validate findings, check logs, host files, all from his phone without touching his laptop.

Added 3,600+ publicly disclosed HackerOne reports that paid a bounty to the MCP. 👇 github.com/PatrikFehrenba… This should help Claude to decide where to focus on, what attack surface was looked at before, and where new vulnerabilities could be 👀 (in theory 😏)

This really should have been in the top 10 web hacking techniques of 2025: adragos.ro/fontleak/

Always record POCs guys, always record POCs!