kymu

467 posts

kymu

kymu

@kymu___

just like to hack and review code الحمدلله

Algeria Katılım Temmuz 2024
227 Takip Edilen623 Takipçiler
SysTrack
SysTrack@SysTrack40·
I don't think I've ever been this excited about a hat before. lol. Does this mean I'm a hacker now? Thanks @Hacker0x01
SysTrack tweet media
English
1
0
2
53
kymu
kymu@kymu___·
@rudradas01 "this time i dont even know the details about the finding, just blindly submit and learn about the report later" this is bad :/ any Ai user is required to know and validate what his hacking bot found, otherwise you're causing more triage delay for other hard working hunters
English
1
0
10
593
Who am I?
Who am I?@rudradas01·
So, apparently, vibe hacking is officially a profitable role... This guy got bounty from cloudflare... By vibe hacking...
Who am I? tweet media
English
2
0
71
5.2K
kymu
kymu@kymu___·
@zhero___ congrats brother, ma tnsach khawtek men el write up
English
0
0
3
719
zhero;
zhero;@zhero___·
Received the first bounty payout for a browser vulnerability today. It was awarded the maximum bounty allocated for a critical issue and has now been fixed. It took some time, but I'm glad the impact was eventually understood correctly. I hope to start writing about this case soon. In the meantime, a small unrelated article should be published next week!
zhero;@zhero___

can merely visiting a website lead to cross-site data exfiltration from any site without user interaction? a ""minimal"" PoC has been validated, successfully exfiltrating, as a demonstration, the victim’s gmail address report submitted, hoping to provide more details soon

English
10
12
313
17K
kymu retweetledi
vx-underground
vx-underground@vxunderground·
vx-underground tweet media
ZXX
47
541
4.4K
88.9K
kymu retweetledi
Kévin GERVOT (Mizu)
Kévin GERVOT (Mizu)@kevin_mizu·
The #FCSC2026 ended today, and my write-ups are now available here: mizu.re/post/fcsc-2026… 🚩 I'm really happy with the challenges I managed to create this year! It would be too long to list everything, so here's a little teaser 👇 1/2
Kévin GERVOT (Mizu) tweet media
Kévin GERVOT (Mizu)@kevin_mizu

This year again, with @BitK_ and @_Worty, we've made the Web challenges 🚩 The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁 Even if you're not doing Web challenges, there are challenges in various categories, you should find something you like!

English
3
20
77
7.5K
kymu
kymu@kymu___·
@Hajjaj0x they dont work in friday and sunday + they are receiving too much Ai reports
English
0
0
2
205
Hajjaj 🇵🇸
Hajjaj 🇵🇸@Hajjaj0x·
هكر ون واخدين أجازة و لا أيه ؟ مسلم reports كثير محدش رد عليا و لا حتى ال bot ?
العربية
7
0
28
6.6K
kymu retweetledi
André Baptista
André Baptista@0xacb·
Race conditions in OAuth flows can still happen in custom implementations. Here's how to find it: During the token exchange, the server is supposed to treat an authorization code as single-use. If you race the token endpoint by sending parallel requests with the same code simultaneously, vulnerable implementations may issue multiple valid access tokens and some won't properly revoke all of them. Tools like Turbo Intruder or even a simple multi-threaded script sending concurrent requests to the callback URL with different tokens may trigger it. Further reading here: blog.avuln.com/article/4
English
7
38
259
14.7K
kymu
kymu@kymu___·
@hamidonsolo getting a crit in h1 has nothing to do with your cert status it's like saying i saved someone with injuries from death why the university doesn't give me the doctor diplomate? irrelevant
English
1
0
37
1.7K
Patrickbatman
Patrickbatman@hamidonsolo·
I owe Hack The Box an apology. I was wrong for expecting a cert after scoring 100 points and having a Critical 9.8 validated on a real company through HackerOne. Clearly I should have spent more time on report formatting instead of finding actual vulnerabilities. My bad HTB. I'll do better. won't happen again
Patrickbatman@hamidonsolo

HackerOne accepted my Critical 9.8 vulnerability on Netlify. That's real work, real impact. Meanwhile Hack The Box won't give me the cert because my final report "doesn't meet their standard." or just didn't wanna to give me the cert while i achived 100pnts passing score. Brother, a real company validated the finding as CRITICAL. But HTB's exam says I'm not good enough? Certs are a scam i highly not recomend buying or passing them now as they are just useless with what ai is capable of doeing right now. The real exam is the field. and also tell me in the comments if you had similar experience . in the past

English
18
2
123
21K
kymu
kymu@kymu___·
@habiba_not @intigriti I think you don't get it Just because they posted about it Doesn't mean it will be always accepted It depend on program rules Just like session fixation and stuff like that which are also bugs Yet they are in the out of scope most of the time
English
1
0
1
64
kymu
kymu@kymu___·
@habiba_not @intigriti Our scenario needs physical access or compromised Gmail to get the reset password link 2FA is meant for cases when your credentials in test.com is stolen Valid or not, the triager is following the program rules and doing his job, intigriti is not responsible
English
1
0
0
94
Habiba0x00
Habiba0x00@habiba_not·
@K3S3l7 @intigriti I don’t agree because 2FA is just an extra layer not a one time pass , intigriti itself wrote a blog about bypassing it and all of them after writing ur cred step , additionally I saw a lot of accepted reports about any way of bypassing it because the issue is not ATO
English
1
0
0
146
kymu
kymu@kymu___·
@Hajjaj0x I believe The quoted post report title is “unauthorized account creation” Which means its not allowed to create an account in the first place This is irrelevant to your case Some employees dashboards doesn’t allow signing up If you can sign up, then its a bug
English
1
0
1
86
Hajjaj 🇵🇸
Hajjaj 🇵🇸@Hajjaj0x·
@K3S3l7 I get it no impact I totally agree but I wonder why it got accepted in the quoted post ??
English
2
0
1
166

Keşfet

@SysTrack40 @Hacker0x01 @rudradas01 @zhero___ @Hajjaj0x @hamidonsolo @Herox15671876 @intigriti