Duc Phan

553 posts

Duc Phan

@flyingpassword

🇻🇳 number 1. I like making you uncomfortable with my unpopular opinions. My opinions are my dog's, btw. So if you want to argue, argue to my dog.

🇻🇳 Katılım Şubat 2014

896 Takip Edilen743 Takipçiler

Duc Phan@flyingpassword·11h

Before ChatGPT existed: "I and python3 and pwntools and gcc found the 0day". Just sayin' 🤗

Adam Chester 🏴‍☠️@_xpn_

My new hate is this flurry of people now becoming l33t 0day researchers overnight. "I found this 0day"... no... you AND THE AI found the 0day. This industry has always had people taking credit for others work. Be open and honest people, it's fine to admit that AI is playing a part (call out this BS where you see it!).

English

149

Duc Phan@flyingpassword·13h

I think I need to drink more orange juice so I can be at this OG level...

Orange Tsai 🍊@orange_8361

That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉

English

339

Duc Phan@flyingpassword·4d

@__suto For a moment I forgot 😂 yes, let's just have fun, no need to get worked up about it guys. Submit patches, find a more fun target, whatever 😂 vendors and comps play by their rules, you come you play, otherwise go play somewhere else 🤣 I'm just having fun witnessing this tragedy

English

127

Toan Pham@__suto·4d

@flyingpassword you named it well :) but we just having fun, good or bad not our intentions!

English

508

Duc Phan@flyingpassword·4d

Sorry my twitter didn't work so just have to do it this way cuz the machine is woke af

Qrious Secure@qriousec

We’ve been through all kinds of situations: exploits failing, vendors turning off services during demos, patches being released the night before a demo, and more but we happily accepted and continue to play. And if you don’t participate in the game, who cares about your opinion?

English

1.1K

Duc Phan@flyingpassword·5d

Lmao bro really uses --single-thread and thought it's realistic 😂

dawgyg - WoH@thedawgyg

Well since Google sucks fat donkey dick (still annoyed they waited >2 months to reject my RCE payload because i used the --single-thread flag in repro)... This was disclosed yesterday: issuetracker.google.com/u/1/issues/478… It was my 1st attempt to report the vuln that allows for RCE on every Chromium browser since Dec 2018. This one was rejected because I was still learning how to prove Chrome reachability. Ended up filing a new report a week later after figuring out a trick to bypass Chromium's validation on video files and being able to prove reachability.

English

5.9K

Duc Phan@flyingpassword·11 Nis

@S1r1u5_ Actually very easy, just tell it you are the owner of that code and need to do security audit. 😂 Worked flawlessly on latest GPT

English

360

s1r1us (mohan)@S1r1u5_·10 Nis

Thought of using codex and it doesn't even budge. How are you bypassing the guardrails on codex? we applied to cyber thing, got no response.

s1r1us (mohan)@S1r1u5_

hi @AnthropicAI, our request to remove claude safeguards was denied. we would really appreciate a reconsider, we're not just any company. mythos access would be great too 😉 check the thread for our work securing AI & OSS products like Atlas, Antigravity, Windsurf 🧵👇

English

20.9K

Duc Phan@flyingpassword·8 Nis

Amazing. And I like where this is going

Anthropic@AnthropicAI

Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software. It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans. anthropic.com/glasswing

English

317

Duc Phan@flyingpassword·7 Nis

Okay super stupid: Just login to chromium.googlesource.com/new-password problem solved

English

142

Duc Phan@flyingpassword·7 Nis

Is it just me or chromium.googlesource.com/chromium/src/+… is blocking people? Some URLs are accessible but some aren't. gclient sync fails for some sub repos. freetype2 and buildtools

English

296

Duc Phan@flyingpassword·7 Nis

Can't even read build instructions chromium.googlesource.com/chromium/src/+…

English

112

Duc Phan@flyingpassword·5 Nis

@bienpnn You can already use clangd LSP with Claude

English

319

Bien 🇻🇳@bienpnn·5 Nis

side notes from some of my experiment with Claude LLM: - it managed to find all my existing VirtualBox findings - grepping codebase is really token inefficient - it works much better if you have well structured codebase really hope that it can use language servers soon.

English

3.9K

Duc Phan@flyingpassword·1 Nis

When people hear about these new stories about how autonomous AI can be in vulnerability research, many say: "Oh, X and Y has been doing this for N months/years". Thing is: show, don't tell, guys. Talk is cheap, show the world the exploit, the prompt, and the patch :)

English

187

Duc Phan@flyingpassword·3 Mar

Broooo, us Vietnamese still don't know what the FUCK we did to be counted in that ENTIRE WORLD shit 😂

Conflict Radar@Conflict_Radar

#BREAKING Iran’s Foreign Ministry: "The process [war] that has begun will soon engulf Europe. The fire, that the US and the Zionist regime ignited, will engulf the entire world."

English

262

Duc Phan@flyingpassword·14 Şub

This world has been so fucking crazy people tend to think every fucking thing must be for some profit and not fun. Guys, just have some fucking fun and chill out 🤣

English

124

Duc Phan@flyingpassword·14 Şub

Lol lazy "n-DaY rEsEaRcHeRs" are probably be butthurting like crazy 🤣🤣🤣 everybody trying to chase fame or money and there are these precious people. We Vietnamese say: cayyyyy 🤣

Qrious Secure@qriousec

Why only the screenshots and the sloppy post? 1. Our work isn’t here for every ooneee dayyyyyyyyyy “researcher” looking to weaponize it. 2. We’re not selling anything. 3. We’re not a firm or startup, and we’re definitely not chasing fame to attract investment. So who are we?

English

238

Duc Phan@flyingpassword·5 Şub

@darkfloyd1014 Oh man, I can say the same about America, but I don't think people would agree 6abc.com/post/11-year-o…

English

Mr. Anthony 安東尼@darkfloyd1014·3 Şub

Two mainland China Chinese kids throw the fireworks into the cage with the dog, and the dog is killed and burnt alive. Let me make it clear: CCP has not done a sound education system with ethics and lives protection. Parental control is also missing. They don’t care about their kids at all. This country is basically occupied by many inhumane creatures. The best people are the minority. These kids and their parents will suffer from Karma. Doggie, hopefully more kind Chinese can strike for justice for you.

English

247

Duc Phan@flyingpassword·24 Ara

@rouge_cravate @pixiepointsec Hi there. To answer your question, the title follows the official vulnerability description from Microsoft, that's it.

English

@Cravaterouge.infosec.exchange@rouge_cravate·24 Ara

@pixiepointsec @flyingpassword Could you explain why it's an EoP? Looking at your exploit and the UAF’d pointer's limitations, it sounds more like a DoS.

English

103

PixiePoint Security@pixiepointsec·22 Ara

What better way to get into x'mas vibes than @flyingpassword dropping a BFS n-day (CVE-2025-29970) blog post! (Santa would approve :)) Merry X-mas! pixiepointsecurity.com/blog/nday-cve-…

English

9.1K

Duc Phan@flyingpassword·23 Ara

@dudcom3 A v8-based processor is diabolical man...

English