xerxes

@p0psec @0daystolive @efaav @4osp3l shout out to you goat

Shout out @0daystolive, @efaav, @rip_xerxes, and @4osp3l for being cool to me along my journey.

After DefCon, I started bug bounty hunting, made $5,200 on @Bugcrowd and completed an @intigriti CTF. Looking back, I’m proud of what I accomplished in 2025. I’m taking 2 weeks off. See you all next year! 🥳

just spent ~11 hours making and fixing a poc for this stupid cors bug. never testing cors ever again after this lol

Yay, I and @rip_xerxes were awarded a $500 bounty on @Hacker0x01! hackerone.com/xlsize0bruh #TogetherWeHitHarder

$2,000 for Amazon vulnerability collab with @davi1337_ @0daystolive and @rip_xerxes on @Hacker0x01 :) hackerone.com/faav #TogetherWeHitHarder #BugBounty (Forgot to post this)

always take into consideration the context of the application youre targeting and think of attack scenarios that their users would actually be concerned about. this can turn what would normally be a non-issue into a valid bug!

and I forgot to mention that it reports with no severity, which worries me even more. safe to say im never using this again. ended up spending more time writing the report than I normally would

tried using h1's report assistant and I made the worst report I have ever submitted. The title looks like there is no impact and I didn't notice it was changed before I reported. I wrote the report to game the ai to what I want rather than to detail the bug accurately and failed

css injection is EVERYWHERE.

waking up at 3-4 am has led to me putting so much more time into bug bounty than i would otherwise.

@efaav Huge issue!!!1

Part II: I found a bypass to Microsoft's fix using a Timing Attack to leak the Microsoft Event Registration database again! Here's the writeup: blog.faav.top/microsoft-even… #BugBounty #bugbountytips

Earlier this year, @infosec_au and I discovered multiple vulnerabilities that allowed us to access the back office admin panel of ClubWPT Gold (the World Poker Tour's website) where we could manage customer data, KYC, and more. Read the writeup here: samcurry.net/hacking-clubwp…

We accidentally got access to every Academy Award nominee's home address and phone number. Before last year's Oscars Ceremony, together with @iangcarroll and @samwcyo, we found a way to leak every nominee's PII, including phone numbers and home addresses of the biggest actors around the world - from @ladygaga to @JaredLeto. We were interested in the security of award ceremony shows, especially with the rise of @Kalshi and @Polymarket betting on winners. We wanted to check if it would be possible for an attacker to leak the winner before the official announcement. While we didn't find evidence of that, we did notice that two of the Academy Awards' primary services had their APIs publicly facing without any authentication. One offered general information about the ceremony, and the other allowed nominees to sign up and vote. The first one - globalservices.oscars.org/Payments/GetHi… - allowed us to fetch every transaction made to sign up as a nominee for the Academy Awards, including member IDs and last four digits of credit cards. With one request, we could get hundreds of contact IDs which could be chained with another API to correlate them to actual Hollywood actors via submissionsapi.oscars.org/api/Report/Get…{ID} Randomly skimming through the results, we saw they leaked full names, home addresses, phone numbers, email addresses of famous Hollywood stars. We responsibly disclosed the findings to the Academy Awards on January 14th, which were promptly fixed.

@_erg0sum @Hacker0x01 good stuff dude

@0xujasis jxscout

@rip_xerxes What's your method to read it? Any tools?

always read the javascript. you will never expect the miracles you find.

ive been struggling to find a target to actually put time into. i keep starting and switching programs all the time.