Ciarán Cotter

Excited to launch this with @busf4ctor. We'll be posting some of our research over the next few weeks 😁 so make sure to follow. Really looking forward to seeing where this goes!

wtf. the tanstack attack just went live. we flagged this exact chain 25 days ago. april 16. All Depi clients were alerted. if you're using @tan_stack check your manifest files right now 1.166.12, 1.166.15, 1.169.5, 1.169.8 are malicious. clean your cache. rebuild.

@busf4ctor Bro you’re literally 33% of the bounty split

@monkehack congo writeup sir

Just gonna vaguepost this one as well and do an evil laugh in the corner

@busf4ctor @rez0__ That sounds like I’m launching a shitcoin

@monkehack @rez0__ can I have two monke tokens for a coffee tomorrow?

Everyone has the same number of time tokens every day. Spend them wisely.

@valent1nee It’s crazy how often ..; works lmao. Also you can combine it with secondary context so you can traverse a different server due to routing. Like /some/route/..;/manager/html or whatever. Proxies are so fun to mess with

@monkehack Brought some memories back :,) If you have a reverse proxy, sometimes /..;/shell.jsp works too.

🐵 MonkeHacks #97 Progress, Ireland, Human Tokens #bugbountytips #hacktheplanet #BugBounty monke.ie/p/monkehacks-97

@rez0__ @xssdoctor Not to mention Waymo in some cities, we have instant video on tiny handheld devices, personal assistant AIs, a hacker is one of the most powerful jobs in the world, and our cities are dying of pollution! Woohoo! Halfway to the post-apocalypse hellscape genre

I was just telling @xssdoctor this: We are living in a cyberpunk future. - Our cars drive us around (we both have fsd teslas). - We use AI agents to find bugs. - We sometimes get paid in virtual currency. - We use that to buy more AI agents to find us more bugs. ENJOY IT MORE

Shoutout to @7urb01’s channel. He’s probably one of the best client side guys in the business and you get to witness his unfiltered thought process on his channel as he reviews research and gets sidetracked. This is a MUST follow resource: @7urb0one" target="_blank" rel="nofollow noopener">youtube.com/@7urb0one

He made the windows hug and now the LLM no longer bullies him by rolling to refuse to cooperate when triage tries to reproduce the bug. Thanks doc. Healing the world one iframe at a time. Research Review. youtu.be/2ZvHGtZuWPU

Unfortunately, most jurisdictions see the act of using a hardcoded API key to retrieve the data of other users as computer misuse, so more or less yes. It sucks but that's how it is. Without clear permission from the company, they can press charges for that. A lot of us are working hard to try and change that and get better laws in place for responsible disclosure but it's an ongoing process. Personally, I've done an interview with the Irish government to discuss vulnerability disclosure policy. We're all on the same side. Posting stuff like this until those laws are passed is always going to be a risk. Maybe that's a risk you're accepting but that's not my problem.

@monkehack @4osp3l "Someday he'll fuck up and get arrested but that sure as hell isn't our problem." Arrested for what exactly? receiving a hardcoded api key on my phone?

LOL what are you talking about? I'm obviously not calling for your arrest. I hope for your sake that you don't get arrested! I'm telling you that there are companies that are much more trigger-happy with lawsuits, and that each time we disclose findings like this, it's always a risk! Look at the CTF guys in Malta who got arrested for responsible disclosure - it can happen to anyone.

@monkehack @4osp3l Now you are calling for my arrest on X are we seeing this shit? LOL

I think he's been pretty reasonable in public! So we can agree to disagree there :) many of us who do this for a living actively defend hackers and the hacker cause behind the scenes. Things would be much, much worse if we didn't hack people like him defending hackers directly with the platform staff. :P

I know rez0 is a good guy. I have seen a lot of what he's done and have learned from him myself. However, what's done behind the scenes is less perceived than what's done in public, and his behavior in public in front of his 71,000+ followers is naturally perceived more. And that's why I said what I said.

A lot of people probably do not have the guts or balls to say this but I will say it. I have noticed that a lot of known security researchers are almost "in bed" with Hacker platforms and forget where they came from or just don't care anymore because they've already made it. The only one that I haven't seen like this is @Jhaddix. Every single time I see someone stand up for themselves against the atrocious injustices and ACTUAL unethical practices of these Hacker platforms against security researchers, I see these big names white-knighting for the platform, as if the platform isn't already a multi-million or multi-billion dollar corporation with multiple white knights on their payroll already. And it's honestly very disappointing and frustrating. People like @rez0__ and @InsiderPhD are prime examples, and should be using their platform to fight for the bug hunters, not against them. It's honestly not only incredibly disrespectful but also a massive letdown. Like, we see these people as not only peers but pillars in the community. For me personally it pains me to write this this since I followed the Critical Thinking podcast in the past, the podcast "by Hackers for Hackers" by the way, unless apparently you post about a Hacker platform hosting a corrupt program that is ghosting you and not paying you for your find. And that my friends is an example of what's become the downfall of the entire bug bounty ecosystem: say one thing, do another. Hacker platforms say they'll pay you X bounty for Y finding, and when you do the report and follow their own "good-faith" principles, they'll downplay your find, ghost your requests, and scam you of your bounty. And the same people you thought were there to defend you when you try to take a stand are actually waiting to be outraged by your stance instead, because they've "met" and "are friends" and "partied at DEFCON" with employees from these platforms 🤡. STOP defending hacker platforms and START defending the hackers, THE PRODUCT. Without us hackers these platforms would be useless.

Who wants to meet me at Def Con sticker swap this year to get stickers of the latest infosec drama à la Jonathan Scott?

@Rhynorater He'll do it until a company comes after him with a lawsuit and then he'll realise why the rest of us who've been around for a while don't do that

-_- now he's just gonna keep dropping stuff.

@abdilahrf @Rhynorater it's borderline extortion

@Rhynorater But it has been returning good, from dup, informative become bounty 2k 5k what do you think?

@Infin1e @devdudearw @weezerOSINT Depends on your motivations as a hacker

@monkehack @devdudearw @weezerOSINT and do you think a single person has so much energy to fix a mistake a corpo made?

Absolutely reckless to post this while it’s unfixed - please don’t do this, calling out the company is fair but not at the expense of the users. There’s a right way to go about this type of situation.