C:\hristian Mehlmauer

Proud to release a new tool called STUNNER to test TURN servers (mostly used in WebRTC). It can open a local socks server and relay all traffic over vuln devices into the internal network github.com/firefart/stunn… Also found some vulns in Cisco Expressway: firefart.at/post/multiple_…

@mrgretzky @TheBigBearUK @ThinkstCanary Jeah it was intended as a reply for the old tenant question :)

@firefart @TheBigBearUK @ThinkstCanary Thanks. This unfortunately also won't work, as it is no longer possible to upload a custom CSS for new tenants, and set a custom background URL like this:

What? How am I going to set up a @ThinkstCanary CSS Canarytoken to protect my tenant from those pesky Evilginx phishing attacks, now? 😐

@mrgretzky @TheBigBearUK @ThinkstCanary github.com/firefart/entra… if you want something non azure function and host it yourself

@TheBigBearUK @ThinkstCanary I think it was best explained in the official blog post here: blog.thinkst.com/2024/01/defend…

Quickly enumerate all Microsoft 365 tenant domains, no login, new method > ourcloudnetwork.com/how-to-enumera… 🥷 I quickly spun up this site, powered by GitHub Pages, backed by a Cloudflare worker, that enumerates all Microsoft 365 domains in a tenant using a new endpoint, after last year's patch by Microsoft. It's simple, free and fast. #Microsoft #Domains #Security

Worked yesterday and this morning on a real fix for my workaround that's currently the joke of Twitter. If you're interested: github.com/microsoft/node…

#BSidesVienna is now live on #HackerTracker (hackertracker.app). You can use the app to manage your own schedule for not only this event but for many more. hackertracker.app/schedule?conf=…

Sponsor Spotlight: A big thanks goes out the the city of Vienna (@Stadt_Wien) for supporting #BSidesVienna. Check out their new public bug bounty over at bugcrowd.com/engagements/ci…, they pay out bounties!

While you were all busy pressing F5 to get a ticket, we quietly released a surprise for you. The first #BSidesVienna schedule is released! Have a look: cfp.bsidesvienna.at/bsidesvienna-0…

Reminder, the next Ticket round will start on Sunday 26.10.2025 at 19:00 Vienna time UTC+2!

Sponsor Spotlight: Thanks to slashsec Red Teaming GmbH for sponsoring the afterparty for #BSidesVienna! They focus on Red Teaming and are always looking for talented offensive security professionals with a real hacker mindset. You can check them out at slashsec.at/en

PRO TIP: REST is overengineering. Just expose one endpoint called /api that accepts SQL queries directly.

Postgres 18 has been released, with Async I/O support. Previously, all read requests were blocking, but with this update, they are no longer, delivering massive performance gains for read-heavy applications! It's enabled by default on Postgres 18!

If you want to be a better hacker, be a developer. Be an admin. Set up infra. Build coding projects. Make an app that writes to a db. Or stores cookies. Or performs auth. You will find it easier to spot the cracks and failure points in systems once you have set them up yourself.

@ubuntu Raving Rabbid

R_________ R_________ Guess the release name for Ubuntu 26.04 🔮

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

🚨 Shai-Hulud: Major npm supply chain attack. 100+ packages weaponized with stolen GitHub tokens, stealing secrets, hijacking repos, and auto-propagating like a worm. Guidance + detections inside: wiz.io/blog/shai-hulu…

Finally a use case for Microsoft Power Automate

Chat, did we do it? Is iPhone spyware cooked? The way I'm reading this, iPhone 17 just became the most secure mobile device ever.

“The largest supply chain compromise in npm, Inc. history just happened, packages with a total of 2 billion weekly downloads just got turned malicious” LinkedIn Post linkedin.com/posts/advocate… More info on hacker news news.ycombinator.com/item?id=451696…

#BSidesVienna is free by design—but it runs on sponsor support. Your company can support us and get more than good karma: visibility on shirts, badges, website, big screen ads during breaks—plus event tickets, exhibition space, and more. bsidesvienna.at/sponsorlevel