@weezerOSINT I've just remembered OpenAI CFO floating the idea of gov't funding. So the VC money is not as unlimited as most people think. youtube.com/watch?v=tiv_LW…
YouTube
English
Kevin Muhuri
520 posts
Kevin Muhuri
@kevmuhuri
Research & Social Media PR (Tech & Privacy)
Kenya Katılım Nisan 2020
39 Takip Edilen14 Takipçiler
@weezerOSINT affordable AI access? Current prices are being subsidized by VC money (increase adoption/growth). Once they go public and have to rely on ARR, we will see the real prices.
English
What would actually be good for the world is publicly funded open models, mandatory safety standards for US labs, affordable AI access for developing nations, real international governance. they appear nowhere in this document, because none of those things make Anthropic money.
Anthropic@AnthropicAI
We've published a paper that explains our views on AI competition between the US and China. The US and democratic allies hold the lead in frontier AI today. Read more on what it’ll take to keep that lead: anthropic.com/research/2028-…
English
@GOOBY_123 @OpenSCADGuns @tmctmt However, I see a possibility of a 2-hop VPN from different VPN vendors like @obscuravpn or the same VPN vendor but 2-hop on different data center vendors might mitigate this. What do you think?
English
English
Mullvad exit IPs are surprisingly identifying
tmctmt.com/posts/mullvad-…
English
@GOOBY_123 @OpenSCADGuns @tmctmt Oh! Last month there was an article on this issue. codamail.com/articles/vpn_e…
English
Mullvad + the 15 providers they rent from: 100TB, 31173, Blix, Creanova, DataPacket, HostRoyale, hostuniversal, iRegister, M247, PrivateLayer, techfutures, Tzulo, Veloxserv, xtom, Zenlayer
It's funny when people think Mullvad has any control over a logging policy when the entirety of their service runs on third-party infrastructure.
Mullvad is literally just an office. They don't do anything or control anything besides installing their software remotely on servers they don't own.
At least their advertising looks cool. I guess that's the only thing people care about.
English
@katexbt @tmctmt @discord Actually, You're better off exterminating cockroaches for a living 😅theregister.com/security/2019/…
English
Spying on everybody's Discord attachments with HTTP desync
tmctmt.com/posts/http-des…
English
@ZackKorman I've come across another argument for such public disclosures. Punishing companies that under invest in security e.g. no BBP, low BB payouts or understaffed internal security teams. I don't think it works coz the cybersec job market is rough right now.
English
New video: The responsible disclosure debate is hiding what's really going on.
These kids aren't mad about security. They're mad about life. They don't have a principled position on disclosure, they have anger problems and AI.
They need guidance & mentorship, not encouragement.
English
The real reason Block laid off 40% of its staff. Debloating
youtube.com/watch?v=9Sy4OF…
YouTube
Kevin Muhuri@kevmuhuri
Block laid off 40% of its workforce and its shares jump by 20% 😑 I think at this point SWE has the same level of stability as game development.
English
The lawsuit settlements are relatively small compared to their net worth. I don't think this will become a deterrence. Honey or Scottish "Lord" or "Lady" titles might make comeback on YT😅 Credits - @Shafer1337
youtube.com/watch?v=UmwwJD…
YouTube
English
@weezerOSINT Have they fixed the issue like ClickUp? Or they are working with the original researcher who reported the vuln back in Aug 2025?
English
This is the 2nd company ignoring for leaking Gov / Enterprise client PII and data.
x.com/weezerOSINT/st…
impulsive@weezerOSINT
Fireflies.ai is exposing US government emails and private meeting recordings to anyone on the internet. Zero authentication. I found 44 .gov employee emails from a single city agency through one API call. No login. No token. Nothing. Their GraphQL API returns full participant emails, meeting recordings, and AI-generated summaries to anyone who queries it. I had to censor the data myself.
English
i went to clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.
got back 959 email addresses and 3,165 internal feature flags.
employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees.
fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in.
this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there.
clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.
English
@fattselimi @weezerOSINT Quite widespread unfortunately. Most maintain ineffective security teams just for compliance obligation. For example, a major luxury fashion brand with a security team of only 1 CISO & "1 contractor" at a satellite office. reddit.com/r/cybersecurit…
English
Fireflies.ai is exposing US government emails and private meeting recordings to anyone on the internet. Zero authentication. I found 44 .gov employee emails from a single city agency through one API call. No login. No token. Nothing.
Their GraphQL API returns full participant emails, meeting recordings, and AI-generated summaries to anyone who queries it. I had to censor the data myself.
English
@CEOofLazarus @weezerOSINT A couple months back some uni black hats in my country were caught, stole millions. I was like how did the police in my developing country even catch these guys. Probably consulted with a pro international cybersec company. Maybe a country like Russia is far easier by paying FSB
English
@weezerOSINT People need to quit this whitehat shit and start going blackhat lmao.
Imagine spending entire days on finding bugs, just to be shut down as "dUpLiCaTe" while in fact it's not a duplicate.
English
Bugcrowd and Dell want me to delete this post. Absolutely not. WDTKernel.sys was mentioned in multiple articles this last decade, researchers never found the same vulnerabilities that I found nor did they bring evidence to the fact the same vulnerable code is being compiled to this day.
blogs.vmware.com/security/2023/…
So you mark me down as a duplicate but offer me credit for my research? If it's a duplicate why offer credit? This is a scam to not pay out hunters. You have the widest possible scope of what counts as a "duplicate" even when it's a completely different vulnerability in the same area.
impulsive@weezerOSINT
North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver. It is sitting on MILLIONS of Windows PCs right now. It gives any local process full control from the deepest level of Windows. 5 lines of code. Zero validation. Your antivirus can’t stop what runs below the OS.
English
@weezerOSINT @DirectorOfNATO @trailofbits research theregister.com/2019/01/15/bug… from some years back show white hat is not sustainable for most. So do it with an open source/side-project mentality or for your CV. Regarding black hat, it's too risky. x.com/thedawgyg/stat…
dawgyg - WoH@thedawgyg
if i hadnt already done 5 years in prison for blackhat activities i would be right there with you guys lol. if we had thought about ransomware and shit in the 90s we woulda been billionaires lol. closest we got was when i breached @ROLEX and defaced every site they had in 2001 asking them to give me a rolex in exchange for me leaving them alone lol (they didnt give me one sadly)
English
@DirectorOfNATO Whitehat is not boring, take a look at my page and you can see i can make it look fun. Furthermore who do you think uses those corporations everyday? "actual people"
English
@weezerOSINT I thought they lagged fixing this issue by at least 17 days. Now 8 months!
English
Still not patched, they emailed me 20 minutes after I posted this tweet calling it "high priority". Dude this was reported in August 2025, H1 only responded to the original researcher AFTER my tweet went up.
Their own docs say every API request requires a Bearer token. This is a lie.
impulsive@weezerOSINT
Fireflies.ai is exposing US government emails and private meeting recordings to anyone on the internet. Zero authentication. I found 44 .gov employee emails from a single city agency through one API call. No login. No token. Nothing. Their GraphQL API returns full participant emails, meeting recordings, and AI-generated summaries to anyone who queries it. I had to censor the data myself.
English
Love the art style in this one. Will keep an eye on it. Credits -- @BigMoodGames
youtube.com/watch?v=o3XXeE…
YouTube
English
@weezerOSINT So 17 days with no fix 🙄 Reminds me of another company that treats security disclosures as "informational". x.com/weezerOSINT/st…
impulsive@weezerOSINT
Lovable has a mass data breach affecting every project created before november 2025. I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account. nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.
English
I reported this to Fireflies on April 7th. They acknowledged it and asked me to submit through HackerOne. I filled out their own bug bounty form at fireflies.ai/bug-bounty instead.
English
@shotgunner101 @vxdb Most share the same infrastructure. But I prefer those run independently. "Only Proton VPN, Mullvad, and Windscribe operate under independent ownership." IVPN too is independently owned. codamail.com/articles/vpn_e…
English
@vxdb Mullvad -> iVPN -> Every other VPN -> ProtonVPN
English
All of them on at once
iShowCybersecurity@ishowcybersec
Which VPN is the best in terms of security and privacy?
English
The AI bubble captured in one photo
vxdb@vxdb
> make a shoe company > sell shoes > shoes not so profitable > buy GPUs instead > turn into an AI company because why not > stock up 200% in a day > infinite money
English
Informative video that has helped me rethink my gamedev strategy. Of course I still intend to pursue gamedev down the line.
youtube.com/watch?v=dpLn6B…
YouTube
English
@kevmuhuri Yeah it didnt get enough attention. I'm going to re upload it with BURP suite requests later on and full analysis of everything.
I contacted them a third time yesterday. I believe you should move to a more secure platform for meeetings if u havent already
English
every public Notion page is leaking the email addresses of everyone who edited it.
zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page.
your company wiki is public? every employee's email is exposed. right now.
reported in 2022. still works in 2026. like what is the point of even having a BBP
thread
English
@weezerOSINT Closely related. You posted about Fireflies a while ago but the tweet is gone. I want to see how exposed the org I work at is and assess other options if possible or DM me of too sensitive x.com/weezerOSINT/st…
English