Aditya Dixit

You must have seen some mobile apps sending encrypted traffic/data in the POST body. Want to know how it can be manipulated? I just wrote a blog about one such case where I was able to break client-side AES in an Android app using 3 chained proxies blog.dixitaditya.com/breaking-aes-t…

Good news everyone Shai-Hulud, that spoopy Git worm thingy everyones been yapping about, has been open-sourced. What does this mean? TeamPCP, or someone else, has released the fully weaponized worm for you. github.com/hmoreirar/Shai…

CopyFail (CVE-2026-31431) in Go. In case you want to get root from a static binary without Python as a dependency. github.com/badsectorlabs/…

CVE-2026-31431 a/k/a CopyFail > Linux LPE > Description sounds like AI slop > Exploit is legit > Impacts every Linux kernel from 2017 - Now > Proof-of-concept released > It's Wednesday? copy.fail

🚨 BREAKING: cPanel and WHM, the control panels behind an estimated 70+ million websites, have a critical security flaw that lets anyone become root admin without a password. CVE-2026-41940 affects every supported version. It’s already being exploited in the wild. watchTowr Labs published the full attack today, after the hosting company KnownHost confirmed the bug was already being used to break into a significant chunk of the internet. If you've never heard of cPanel: it's the dashboard that hosting providers and millions of website owners use to manage their servers, domains, email accounts, databases, and SSL certificates. WHM is the admin version that controls the entire server. If someone gets root access to WHM, they get the keys to the kingdom and to every apartment inside it. How the attack works, in plain English: 🔴 Step 1: The attacker sends a deliberately wrong login. cPanel still creates a temporary "you tried to log in" record on disk and gives the attacker a cookie tied to it. 🔴 Step 2: The attacker tweaks the cookie to disable cPanel's password encryption. Normally cPanel encrypts the password field on disk. With one small change to the cookie, cPanel just stores it as plain text instead. 🔴 Step 3: The attacker sends a fake login attempt where the password field secretly contains hidden line breaks. cPanel does not strip these line breaks out, so they get written straight to the session file. Each line break creates a brand new fake record. The attacker uses this to inject lines that say "this user is root" and "this user already authenticated successfully." 🔴 Step 4: The attacker visits one more random page on the site to nudge cPanel into re-reading the file. cPanel then promotes the injected fake lines into its main session memory. 🔴 Step 5: On the next request, cPanel sees a flag that says "this user already passed the password check." cPanel trusts that flag, skips checking the actual password, and lets the attacker in as root. From start to finish, the attack takes a handful of HTTP requests. If you run cPanel or WHM, the patched versions are: 🔴 cPanel/WHM 110.0.x → 11.110.0.97 🔴 cPanel/WHM 118.0.x → 11.118.0.63 🔴 cPanel/WHM 126.0.x → 11.126.0.54 🔴 cPanel/WHM 132.0.x → 11.132.0.29 🔴 cPanel/WHM 134.0.x → 11.134.0.20 🔴 cPanel/WHM 136.0.x → 11.136.0.5 If your version is older than these, assume someone has already broken in and act accordingly. Patch right now, then rotate every password and key the server touched: root passwords, API tokens, SSL private keys, SSH keys, mail passwords, and database passwords.

every public Notion page is leaking the email addresses of everyone who edited it. zero authentication. no cookies. no tokens. one POST request returns full names, emails, and profile photos for every editor on the page. your company wiki is public? every employee's email is exposed. right now. reported in 2022. still works in 2026. like what is the point of even having a BBP thread

Lovable has a mass data breach affecting every project created before november 2025. I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account. nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.

Vercel has reportedly been breached by ShinyHunters. As of now, nobody else appears to be posting about this, so I’m sharing what I have. Here is the information I’ve gathered, along with screenshots provided by ShinyHunters. #cybernews #shinyhunters #breach #vercel #news

Can your health data be hijacked via a simple link? 🏥🔓 My latest write-up covers exploiting iOS Custom URL Schemes to intercept sensitive data in a major health app. Read more: blog.dixitaditya.com/hijacking-ios-… #CyberSecurity #MobileSecurity #Pentesting

Finally got this virtual iPhone running iOS 26.1 up and running on macOS. It's jailbroken and going to help with security research a ton. Big thank you to @wh1te4ever for this. This is not for the average user and is complicated to set up. Highly recommend Codex and/or Claude to assist. For those interested, the project is here: github.com/wh1te4ever/sup… And the writeup is here: github.com/wh1te4ever/sup…

Smart contracts don’t fail randomly. They fail in patterns. The OWASP Smart Contract Top 10 defines those patterns. Use the Top 10 to > Threat-model before you ship > Lock down privilege and upgrade paths > Encode invariants as tests > Secure every external boundary

if you deploy smart contracts without doing this…you’re just hoping nothing breaks. Watch before one bug costs you everything.

any text can be malware delivery if you just believe.

Want to quickly scan code bases for security vulnerabilities? This AI-backed tool helps you scan for vulnerabilities using Claude AI Agents to scan your entire project for all vulnerability types with support for multiple programming languages! 🤠 Check it out! github.com/anshumanbh/sec…

H1 2025: More than $2.5B Lost! From Bybit’s $1.45B breach to Sui’s largest DeFi exploit, our latest State of Web3 Security Report breaks down the top hacks and root causes, impact across chains and vectors, and how to stay secure. Download the full report to get the findings.

We had an amazing time at the @Hacker0x01 Bangalore Bug Bounty Talks 🎯 Thanks to Alfin, @rohitcoder @cyberboyIndia, and @zombie007o for the incredible sessions on HTML Sanitizer Bypasses, Supply Chain Attacks, and Web3 Security. 🛡️ Grateful to everyone who joined — see you at the next one! 🚀 #BugBounty

HackerOne India South Club is hosting a bug bounty meetup this Saturday, 26th April, in Bangalore—courtesy of @akshanshjaiswl. Join us for talks on: - HTML Sanitizer Bypass – by Alfin Joseph - Supply Chain Hacking – by Rohit Kumar - Web3 Security Panel – featuring @cyberboyIndia & @zombie007o 🎁 PentesterLab vouchers up for grabs! Register now: bit.ly/4jp4cWC #BugBounty #HackingMeetup #HackerOne #CyberSecurity

SSH Pentest - Cheat sheet

Alice created a contract to allow users to claim USDT tokens. Can you spot the bug? Take on the #FindTheBug challenge and showcase your debugging expertise! #BugHunt #SmartContracts #Web3

Today, my PC was nearly compromised. With just one click, I installed a malicious @code extension. Luckily, I was saved as my PC doesn't run on Windows. Hackers are getting smarter and aren't just targeting beginners. Here's how they do it and how you can protect your coins!