Matt Austin

This was a really fun exploit in Burp that @DanAmodio and I found!

@ZackKorman @UK_Daniel_Card @browser_use Opened an RCE security report with them 3 weeks ago and not a single comment or response on the report.

The @browser_use SOC 2 page made me laugh out loud. Audited by the best: Arthur Andersen in partnership with Enron.

@nmatt0 @Yassineaboukir Had H1 triage lower the severity of an RCE because:” [app name] and to be installed and running for the exploit to work. “ … maybe one day I will find that magic elusive RCE I can pop with it running or being installed.

@Yassineaboukir Same happened to me this week. Dupped vulns reported in 2024... But I've got a crit and a high triaged so hopeful. Might have found my new fav program.

hopefully this will break the bad luck streak! reported on Thur at 6:42PM and fixed by 10:05PM 😆

@sophistocation @RepNancyMace Why do his own words bother you so much?

@RepNancyMace .....stop using Charlie's good name for your propoganda/rhetoric bs. Ffs

@ctatedev When will agent-browser be production ready and out of labs?

Introducing the agent-browser dashboard See exactly what your agent sees → Watch headless browser in real time → Manage all your sessions in one place → Debug with activity, console, network, and storage panels agent-browser dashboard start

@NathanEatsSoup @mindragon @hardwarecanucks PC parts of questionable origin… Sophos is UK based. Would doing exactly this even be legal with the new stupid laws…?

@mattaustin @mindragon @hardwarecanucks When I first started networking, I bought a $20 business class PC on marketplace and the cheapest Intel PCI nic I could find. I tested Sophos, Open sense, PFsense, and others. It was a great and cheap entryway into building your own routing firewall. Youtube it 🙂

They just dropped a nuke on literally the entire consumer router market. But enterprise & government is excluded? Can anyone name a good wireless router that's completely built in North America? Genuinely curious.

@mindragon @hardwarecanucks Us made pc and network card?

@hardwarecanucks 1. Any PC 2. Add a network card 3. WiFi if you want 4. pfsense.org

@albinowax @zseano lol I remember those!

@zseano That's the coolest swag I've seen since Facebook's whitehat credit cards back in like 2014. Less risky to post photos of, too.

wish more programs did this to show their appreciation! might have to poke at Swisscom👀

@ctatedev When will this be out of labs and be considered production ready?

agent-browser v0.20.1 - v0.20.14 The community is on 🔥 FEATURES - Embed cursor-interactive elements into snapshot tree - Add --idle-timeout CLI flag for daemon auto-shutdown - Add Brave Browser support to auto-connect CDP discovery - Add linux-musl (Alpine) builds for x64 and arm64 BUG FIXES Snapshot & Screenshot: - Use DOM textContent as fallback name for cursor-interactive snapshot nodes - Resolve snapshot -C and screenshot --annotate hang over WSS - Resolve snapshot hang over remote CDP (WSS) connections - snapshot --selector scopes to the matched element subtree - Restore refs dict in --json snapshot output - Re-query accessibility tree when backend_node_id is stale CDP & Connectivity: - Propagate --cdp flag to daemon for reliable CDP reconnection - Support remote host in CDP discovery - Restore WebSocket streaming in native daemon - Filter chrome:// internal targets from auto-connect discovery - Handle broadcast channel lag instead of treating it as stream closure - Support consecutive --auto-connect commands Chrome Launch & Stability: - Retry Chrome launch up to 3 times on transient startup failures - Prevent daemon panic on broken stderr pipe during Chrome launch - Add --disable-dev-shm-usage for Chrome in CI/container environments - Fix Windows auto-connect profiling Input & Interaction: - Use correct VK codes for punctuation in type command - Restore Playwright-parity check/uncheck for Material Design controls Recording: - Recording produces correct video duration with real-time ffmpeg encoding - Use VP9 codec for webm recording output Network: - Fix network idle detection for cached pages by observing 500ms idle period Compatibility: - Accept integer nodeId/childIds in AX tree for Lightpanda compatibility - Add appium: vendor prefix to iOS capabilities for Appium v3 CI & Misc: - Remove unused pnpm setup from global-install CI job - Improve postinstall message to detect existing Chrome installations - Remove obsolete BrowserManager TypeScript API from README - Fix Chrome temp-dir cleanup test on Windows - Correct e2e test assertions for diff_snapshot and domain_filter - Correct misleading SIGPIPE comment

@delmoi @eevblog No this is just lame engagement bait. Not an actual leak or anything.

@eevblog It's literally just doing a hash check? So if you just add some padding or whitespace to your file it will still print? What's insane is, pretty much anyone in the US can just go buy a gun.

LEAKED: The new code for all 3D printers to comply with California code AB 2047 for firearm detection has been leaked:

@MiamiNiiice @realmikolson Nope. Just saying it’s clearly performative to draw a symbol on your forehead for and running around for everyone to see. I just think it’s silly to argue it’s not.

@mattaustin @realmikolson One day out of 365-366 is nothing. You're the one making a mountain out of a molehill, not them.

“But when you fast, anoint your head and wash your face, so that your fasting will not be obvious to men, but only to your Father, who is unseen. And your Father, who sees what is done in secret, will reward you.” Matthew 6:17-18 It’s almost like the Bible explicitly tells us to do the opposite of what Roman Catholics are doing right now with Lent.

@MiamiNiiice @realmikolson Anything “can be” but literally drawing on your head and walking around all day. You do you, but come on man… There is not much more performative than that. lol 😂

Quite literally anything you do that can be seen by other people can be called performative. Oh you washed your hands after using the toilet? Wow so preformative bro. Catholics do the ash cross ONCE A YEAR and people are acting like they flagellate themselves in the streets every weekend.

@MiamiNiiice @realmikolson Drawing on you forehead is not performative? lol. 😂

Not Catholic, but people acting like a ONCE A YEAR tradition is a sign of performative self aggrandizing religiosity is absurd. What the hell does an ash cross have to do with fasting? Nothing, just because people give things up for lent doesn't mean literally everyone with an ash cross on today is fasting and that their ash cross is a representation of that. You're making shit up in YOUR HEAD to bash then PUBLICLY so YOU CAN MAKE YOURSELF LOOK GOOD. You're a retarded hypocrite.

@endrazine @mikko @troyhunt @schneierblog @defcon @BlackHatEvents @halvarflake @richinseattle @josephmenn @threatpost @owasp Can’t NVD just update to internet archive links?

Symantec killed Bugtraq in 2020 and let the domain lapse. Now it's squatted for $175k. The NVD has 120,000+ broken links pointing there. The security community's memory is being held hostage. Let's buy it back ! Please donate/spread/tag/RT 🙏 gofund.me/69b07ba83

"0-click Arbitrary file write leading to RCE and SSRF" but the hackerone triage closes as Informative: "If you are able to leverage this into a practical exploitation scenario, we will be happy to reevaluate this report" lol.. I honestly don't know how to respond to this

I finally put together a writeup for a Winboat "drive by" Client RCE + Sandbox escape (host rce): hack.do/posts/winboat-… Fixed in v0.9.0

@oriSomething @astuyve Why Rust literally has crashing stack overflows. that are not catchable github.com/rust-lang/rust….

@astuyve or move to rust

Time to upgrade your node deployments:

@nmatt0 For a second I thought you were doing “chip on” FW extraction. Should have known better. 😂

Shut up STM32, I have the talking stick.

@commando_skiipz @geezy__david @IsholaAzeezAyo1 That’s The browser is set up to trust the Burp cert. Any other browser that was intercepted/ tampered would show an error. That’s the entire point on the cert.

@geezy__david @IsholaAzeezAyo1 Because that isn’t a normal browser, it has been configured to do that to any DNS

This is a standard practice for almost all Tier-1 banking applications in Nigeria, and for some fintech applications I’ve previously performed pentests on. Client-side encryption isn’t a total waste, or a waste of compute, as some people have claimed, but rather a measure to protect against API tampering or API request/response manipulation between the client and the server when implemented properly. Even with HTTPS, attackers can capture a decrypted version of web or mobile API data in transit because the browser and the server establish a level of trust during the TLS handshake. Attackers can leverage this trust to capture & proxy already-decrypted traffic, tamper with it, and then forward it to the server. This allows them to override what the user interface or client is originally supposed to send and replace it with data of their choosing. That is why validation needs to be performed on both the client and the server side. To wrap up, encrypting API requests and responses makes it significantly harder for attackers to tamper with data, even if they capture the traffic, unless they have access to the encryption details (algorithm, encryption mode, key size, secret key, and initialization vector), assuming asymmetric encryption is used. In the demo below, you can see how I discovered additional parameters (balance, is_admin) in the API response, captured the registration API request, despite it being sent over HTTPS from the interface, added the discovered parameters, and successfully inflated my balance to 50 billion and also escalated my privileges to admin, and ultimately deleted the accounts of two live users/customers. In the second slide, I captured an API traffic of a bank app, and you can see how difficult the payloads are to read.

@Cyber78678 … no I don’t think that’s the case.

"Vercel paid 50k to one researcher so far" to my opinion its a trap to reward one and fix the rest of varitants of all the bypasses as Duplicate don't be foolish enough This reward is for someone for some reasons You know what I mean!!! #React2Shell

@justfly1984 @mehulmpt What eval? The bug was in dynamically building the object in an unsafe way. The payload builds the function constructor it needed…no eval in the codebase.

@mehulmpt Crazy to think about who and why put the fucking eval into the codebase itself. It’s either criminal negligence and incompetence or intentional conspiracy.

I have spent the last 4 hours understanding React2Shell deeply (video soon). The exploit itself is relatively complex to piece together, but the code that enables that exploit is a hot mess. This RCE issue was there for multiple months. Crazy to think about it.