Corrupt Data

@4osp3l You’re able to find such simple bugs in this AI era. That too after so many months. Amazing!

Triaged 🔥 I didn’t even expect to find this vulnerability today because I had already tested this subdomain a few months ago and never came across the OTP bypass at the time. Earlier today, I decided to revisit some of my old reports and stumbled on the subdomain again, so I thought of giving it another shot. That was when I suddenly found a valid OTP bypass. Here’s how it worked, I created an account as a victim user and logged in. After login, I was redirected to a page showing a message similar to “Verify OTP to Continue.”, I tried directly accessing user profile pages and other authenticated endpoints, but the application blocked access from the UI because the OTP verification was still pending. I then turned on Burp Suite intercept and captured the GET request made from the OTP verification page. The request already contained the authenticated session cookie, and by replaying that request manually, I was able to access functionalities that should have required successful OTP verification. Using the same authenticated session, I was able to perform actions such as modifying account data ( I.e EMAIL, which could potentially lead to ATO ), which was not possible directly through the application interface before completing the OTP step.

🚨 $10 Million stolen from THORChain. 36 BTC + $7M in other coins were siphoned before the network auto‑halted. Crypto platforms are under siege. User funds may be “safe,” but trust isn’t. Reference: therecord.media/more-than-10-m… #CryptoHack #CyberSecurity

@thezdi @orange_8361 @d3vc0r3 @NuskLabs Follow this user and comment on their posts

Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin

@GitHubSecurity It doesn’t add up

Here are our April bug bounty stats! ✅325 bounty reports submitted 👥226 hackers participated in our program 💰Awarded $2,367 in bounties Found a vulnerability? Submit it here: bounty.github.com.

@hakluke @GitHubSecurity I think they missed a 0 in the end of the bounty amount but way too low a number, still.

@GitHubSecurity Those stats are definitely wrong!

🚨 $630M vanished in April’s crypto hacks. 30 crypto hacks aren’t just theft, they’re stress‑testing finance. Funds face liquidity crunch, collateral collapse & investor panic. Source: binance.com/en/square/post… #BreakingNews #HackAlert #CyberWar #CryptoScam

🚨 AJAX apps = security minefield. Treat ALL data as untrusted. Avoid innerHTML, never use eval(), validate inputs, and enforce CSRF. Security is a mindset, not a patch. 🔒 source: cheatsheetseries.owasp.org/cheatsheets/AJ… #OWASP #JavaScrip

🚨 BREAKING: $200K drained in seconds. AI agents Grok + Bankrbot tricked via Morse code → 3B DRB gone. Prompt injection isn’t a theory; it’s draining wallets live on Base. source: cryptopolitan.com/user-tricked-g… #DidYouKnow #StaySafe #GameChanger #NextGen #BigNews

🚨 Europe’s watchdog warns: AI is turbocharging cyberattacks. Mythos exploits unseen flaws, tensions fuel risk. Cybersecurity isn’t IT anymore; it’s systemic market risk. Reference: thenews.com.pk/latest/1400258… #CyberSecurity #AI

🚨 A decade-old Linux bug (CVE-2026-31431 “Copy Fail”) gives attackers ROOT access. PoC exploit is live. Cloud/K8S at risk. Agencies told: patch in 2 weeks. Defenders act now! Reference: securityweek.com/exploitation-o… #Linux #RootAccess #cybersecurity

@rez0__ Sarcasm?

thank you claude

@ArmanSameer95 @Bugcrowd Bug type?

I earned $94,000 for my submission on @bugcrowd bugcrowd.com/h/{id: "tess"} #ItTakesACrowd

2FA is hitting the physical world. 🛡️ From biometric car starts to 2FA for medical pumps and IoT, security is now a frontline defense for our lives, not just our logins. 🚗🏥 Reference: darkreading.com/endpoint-secur… #SmartDevices #CyberSecurity #2FA

“Beyond IT: Cybersecurity is a Strategic Business Risk” Cyber risk is no longer “just IT.” Regulators are treating it as a strategic business risk. 8,500 individuals’ data exposed. No MFA, no incident response plan. C suite accountability now in the spotlight.

PowMix, a newly discovered botnet, is targeting Czech workers with advanced evasion tactics and dynamic C2 migration. · Randomized C2 intervals evade detection ·Encrypted heartbeat data mimics REST APIs ·Commands: #KILL & #HOST This isn’t just malware, its cyber survival.

@snellchapo @thedawgyg Because he has multiple max subscriptions of Claude

@thedawgyg Why is fuzzing costing you $1000

They spent $20k finding their bugs, while I spend less than $1000 on my fuzzing setup and found alot of the same bugs (several in their announcements i found and have in my 'to report' docs since they werent exploitable beyond DoS). i havent found 'thousands' but i have found nearly 1000 since December. And the VAST majority that have been found with AI and fuzzing are Null Ptr Derefs. and as mentioned, they are almost never exploitable on modern systems since memory at 0x0000000 cant be mapped to anything anymore. (it cant with like +8/16/32/64 offsets either, i forget what the first usable spot is but its not anywhere near a null ptr deref location). Mythos might be good at finding bugs, but it is not finding things that would set the internet on fire in most instances. im sure they found some nice bugs in their thousands, but most of them would be DoS impact at absolute most.

AI just crossed the red line in cyber warfare. Claude Mythos Preview spotted flaws that survived decades of human review. 27-year-old bug in OpenBSD 16-year-old flaw in FFmpeg Linux kernel escalation exploit Cyber security has entered the AI arms race.

LinkedIn accused of scanning 6,000+ browser extensions, exposing religion, politics, health & even job hunting 👀 Data allegedly shared with human Security. LinkedIn denies it. If true, this isn’t just a privacy breach, it’s corporate espionage at scale.

🚨 Attackers don’t drop malware; they use your tools. 84% abuse PowerShell & more. Attacks look normal, huge unseen attack surface. Your biggest risk isn’t external. It’s already inside your environment. Reference: thehackernews.com/2026/04/3-reas… #CyberSecurity #InfoSec #CyberThreats

Russian-linked hackers bypass secure apps by tricking users into handing over verification codes. •FBI + CISA: thousands of accounts compromised •Targets: officials, military, journalists •Signal confirms phishing, not infrastructure breach ⚠Think before you click.