Matheus Vrech

Found a full-blown CSP bypass on the current version of Firefox (69). Not working on the beta version. PoC: abrasax.club/?payload=<object data="javascript:alert(1)"></object> #bugbounty

@caueobici @girorme1 Historias que seu avo nunca lhe contou sobre firebase - @vrechson & @Highustavo Imagens sao dificeis - Thumbor 0days - @caioluders SunCodeQL - Resolvendo a Complexidade do Frontend com SAST - m4z4r0p3 m4qu1n4 d0 mund0.ANS - gld

🚨: This is Tatiana Sampaio, a Brazilian scientist who restored movement in six paraplegic patients.

We found a RCE in Google's AI code editor Antigravity - $10000 Bounty Link to the blog in comments:

I began looking into browser security issues again in 2026 and while reviewing extension permission APIs, I noticed that the default declarativeNetRequest API (which only requires permission to block content on all pages) can be leveraged into a side-channel attack. This permission ends up allowing an extension to infer the full URL of open tabs without requesting the chrome.tabs permission, and it can also leak the full URL of cross-origin redirects. Unfortunately, fixing this issue has been deemed unrealistic by Chrome, and the risk has been accepted, so it is worth keeping this in mind when granting content-blocking permissions to browser extensions. The complete public report can be found at issues.chromium.org/issues/4792584….

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/…

🟥 Positive Hack Talks → São Paulo 🇧🇷 Dec 10th, 2025 🗣️ Speakers — submit papers (flights/hotel covered). CFP link in thread 👇 💻 Cybersecurity community — join our most community-driven event. ➡️ phtalks.ptsecurity.com/saopaulo Free · 8 talks · limited spots #PHTalks

@sanseverini amiga se precisar de ajuda para recuperar o insta posso tentar ver oq ta rolando

Consegui bloquear quase todas as contas (as que as senhas poderiam estar comprometidas) e consegui trocar as senhas dos e-mails. Ainda não recuperei o Instagram, apesar de ter conseguido trocar a senha também. O app do governo: nem sei pra que tinha, não serviu pra nada.

Aproveitar que tô esperando atendimento da @TIMBrasil no shopping pra contar o que aconteceu: Ontem tava indo no show de amigos, lá pelas 21h30, subindo a Belmiro Braga sentido Casa Rockambole. Tava no celular com um amigo, o Rafa. Eu tinha ligado pra ele de fone, mas a (1)

🚨 CFP aberto — Bug Bounty Village @ H2HC 2025 🚨 Achou um bug insano, bypass criativo ou tem case real de pentest/bug bounty? Manda sua talk! 👉 docs.google.com/forms/d/e/1FAI… #H2HC #BugBounty #Call4Papers #HackerCulture

The future looks wild. We’re just getting started 🚀 Personally, I’m grateful to be building this with the greatest team @zeyu1337 @rootxharsh @LiveOverflow @haqpl, @ungrad_engineer, and @ElectrovoltSec team . Read the full blog here: hacktron.ai/blog/introduci…

Securing @gumroad with Hacktron AI Three months ago, Hacktron was still early. @HacktronAI and @rootxharsh were finding 0-days targeting specific vulnerabilities on OSS software. Then we ran a full pentest-style scan on a big open-source project. The results were insane. 🧵

Nice to meet with such brilliant team!

@caioluders @lucasteske @travisgoodspeed 👀

@lucasteske @travisgoodspeed @vrechson brinque com coisas @vrechson

Hey @travisgoodspeed I want a signed copy next time you get to Brazil 👀👀👀

@skaesun eu tbm fiz isso kkkk depois fiquei meio triste quando comecei o original pq a qualidade da gravação é pior mas o final é mtooooo melhor

eu assisti steins gate errado eu assisti só o steins;gate 0 ACHANDO QUE TINHA ACABADO POR ALI E QUE ERA ISSO eu quero me churrascar QUEM FAZ ISSO mas tô feliz q tenho mais pra assistir mas pqp culpa da crunchyroll fds

We tested a pre-release version of o3 and found that it frequently fabricates actions it never took, and then elaborately justifies these actions when confronted. We were surprised, so we dug deeper 🔎🧵(1/) x.com/OpenAI/status/…

Brazil made history last weekend, and of course, ELT was a part of it! Thanks @GaneshICMC , @boitatech , @gris_ufrj and #hawksec_unifei for partnership! We got 17th place, the best brazilian result, at #DEFCONCTF Quals as "pwn de queijo"! Thanks @hackaflag for hosting us!

#genuary7 #genuary2025 Use software that is not intended to create art or images. youtube.com/watch?v=lTuvI9… Bad apple but its HTTP in Burp Suite

Seeing paulosyibelo.com/2024/12/double… in PortSwigger's top 10 made me remember a trick I found a few years ago, where if a button has an ID attribute, you can trick users into submitting it by holding enter (or space). Guess lots of places are affected 😅 PoC: lbherrera.me

We're thrilled to share that we'll be joining @h2hconference this December in Brazil, and we want YOU to be a part of it! 🎉 Our Call for Papers is officially open! sessionize.com/rtv-hackers-2-… We can't wait to see what you've got and to connect with all of you in person. See you there for an unforgettable time! 🙌✨ #H2HConference

Hope to find a growing infosec community in blue sky, I would honestly be happier if I could move to another social network forever

Seeing that Pwn2Win isn't happening this year, here's an unreleased beginner-level XSS challenge I created for it (shouldn't be too difficult). lbherrera.me/challenge