Sam Curry

@notkirb_ Agreed

@samwcyo Maybe if you use your brain instead, you would have better luck

Asked Claude to root my Xiaomi 17 Pro Max. Did not go well.

A second iOS exploit has been spotted in use by Russian spies to infect websites and hack visitors' iPhones. This one works on iOS 18, and appeared in a very reusable form, so will likely proliferate. If you haven't updated your iPhone, now's the time. wired.com/story/hundreds…

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

The Rust X Hackerone Program! 🐛🕵️‍♂️💰 Earn cash rewards by reporting bugs, security vulnerabilities, and exploits! Discover more here: #HackeroneBountyProgram" target="_blank" rel="nofollow noopener">rust.facepunch.com/news/soft-refr…

I found a remote code execution on the latest TP-Link Tapo webcam models! The path to code execution wasn't direct and involved an interesting chain (3 CVEs). Check out my blogpost for more details! spaceraccoon.dev/getting-shell-…

A full iOS exploit toolkit, "Coruna," has been found in the wild, hacking iPhones that visited infected websites, used by Russian spies targeting Ukrainians and thieves targeting Chinese crypto holders. And it may have been created for the US government. wired.com/story/coruna-i…

Turning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoning adnanthekhan.com/posts/angular-… #BugBounty

It is weird to grind away at something for over a year and finally start talking about it openly. I'm encouraged by the probing questions and thought so far on mlld.ai -- thank you all who've taken the time! For anyone who'd prefer a video intro, turn on notifs!

Two years ago, I reported an improper path parsing vulnerability in Next.js. Today, they reported the exact same vulnerability to their competitor, Vinext. Funny coincidence.

BREAKING: US just sanctioned a network of exploit brokers trafficking in stolen US hacking tools First-ever use of #PIPA (Protecting American Intellectual Property Act) by @USTreasury. Here's the wild backstory of how @opzero_en got US-taxpayer funded exploits. 1/

V12 is now live for open beta. It can: - Find valuable bugs - Generate working, runnable PoC - Generate patch and test the PoC against it In our testing during audits at Zellic, Zenith, and Code4rena we've been consistently impressed. Best of all: it's free. (Don't abuse it!)

Terence Tao perfectly captures why AI is gaining traction in security research: > To date, the problems that AI has solved are the ones that are attention-bottlenecked: the ones for which Erdős posed once or twice in a paper, but there's been almost no follow-up literature; no one has really looked at them. But AI can scale, and so we are making progress on a lot of problems for which we didn't really have enough human attention. youtube.com/watch?v=zJvuaR… #fn:1" target="_blank" rel="nofollow noopener">noperator.dev/posts/on-the-m…

How a single typo led to RCE in Firefox Can you spot the bug? Read now at: kqx.io/post/firefox0d…

@thedawgyg i don't know it it's up to date, but i always really liked the idea of informed bug hunting using the "chromium money tree" from @rebane2001 basically tells you how much has been paid out in bounties at for chrome at the file level lyra.horse/misc/chromium_…

We found a RCE in Google's AI code editor Antigravity - $10000 Bounty Link to the blog in comments:

@_jensec @openclaw No

Has anyone figured out how to deal with security implications of hosting @openclaw ?

@maxbittker Yes 😄 -- my runes were smuggled in from tutorial island using a bot which @sshell_ and I made. There were probably 20,000 different characters that spawned in, teleported to lumbridge, then dropped all their stackables

was this you @samwcyo ? noticed you're #1 on the magic highscores :)

Opus4.6 stayed busy last night while I was asleep. ...where did the runes come from at 0:03...?

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top-1…