Ingeniería de Telecomunicaciones (URJC). Pentester en @ZerolynxOficial
Joined October 2008
- Tweets 29,760
- Following 682
- Followers 990
- Likes 19,508
795 Photos and videos
Justo Martín retweeted
🚨 73 Microsoft GitHub repos just went dark.
They were hit by Miasma, a self-replicating supply chain attack spreading through trusted open-source channels.
Azure and MicrosoftDocs repos were among those impacted.
Read this: thehackernews.com/2026/06/mi…
17
145
353
37,159
Justo Martín retweeted
May 22
NordVPN demuestra al juez que el 🚫 bloqueo de IPs que le pide ⚽️ LaLiga no puede ser implementado sin dañar a terceros
👇
bandaancha.eu/articulos/nord…
1
71
188
9,327
Justo Martín retweeted
Apr 29
CVE-2026-31431 a/k/a CopyFail
> Linux LPE
> Description sounds like AI slop
> Exploit is legit
> Impacts every Linux kernel from 2017 - Now
> Proof-of-concept released
> It's Wednesday?
copy.fail/
101
530
3,645
260,530
Justo Martín retweeted
Apr 25
¿Te da la sensación de que Opus se vuelve más tonto a partir de las 11:00 UTC (13:00 hora de España)?
No es paranoia. No es sesgo de confirmación. Y no, Anthropic no "baja la calidad" a propósito.
La explicación real es más incómoda 🧵
1
5
9
1,516
Justo Martín retweeted
Hacking the #EU #AgeVerification app in under 2 minutes.
During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory.
1. It shouldn't be encrypted at all - that's a really poor design.
2. It's not cryptographically tied to the vault which contains the identity data.
So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app.
After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid.
Other issues:
1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying.
2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step.
Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.
.@vonderleyen "The European #AgeVerification app is technically ready. It respects the highest privacy standards in the world. It's open-source, so anyone can check the code..."
I did. It didn't take long to find what looks like a serious #privacy issue.
The app goes to great lengths to protect the AV data AFTER collection (is_over_18: true is AES-GCM'd); it does so pretty well.
But, the source image used to collect that data is written to disk without encryption and not deleted correctly.
For NFC biometric data:
It pulls DG2 and writes a lossless PNG to the filesystem. It's only deleted on success. If it fails for any reason (user clicks back, scan fails & retries, app crashes etc), the full biometric image remains on the device in cache. This is protected with CE keys at the Android level, but the app makes no attempt to encrypt/protect them.
For selfie pictures:
Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary.
From a #GDPR standpoint:
Biometric data collected is special category data. If there's no lawful basis to retain it after processing, that's potentially a material breach.
youtube.com/watch?v=4VRRriyD…
656
6,065
24,322
3,390,148
Justo Martín retweeted
Autor no autorizado el que tengo aquí colgado
1
3
211
Justo Martín retweeted
Mar 1
EPIC FAIL
#LaLigaGate
Feb 28
La Liga bloqueando webs que usan Cloudflare...
pero su página antipiratería usa el CDN de Cloudflare.
🤡
ALT Captura de pantalla del código fuente de la web de LaLiga Antipiratería, mostrando varias etiquetas <link> y <script> que cargan hojas de estilo y JavaScript desde un CDN propio y desde Cloudflare, con la palabra "cloudflare" resaltada en amarillo y naranja como si fuera el villano secreto de la historia.
2
32
136
6,548
Justo Martín retweeted
Mar 1
19 años ya… y aún se me eriza la piel.
Apenas había smartphones y todo era nuevo, enorme, mágico. Descubrimos un mundo y, sin saberlo, a personas que marcarían nuestra vida: amigos, amores, familia.
Qué suerte haberlo vivido y qué privilegio haber formado parte de ello.
101
133
777
74,263
Justo Martín retweeted
Feb 26
Si no haces otra cosa en el evento. Ya podáis darte prisa con lo único que haces
1
3
98
Justo Martín retweeted
Feb 25
Todos los datos de altos cargos del INCIBE Español se ven expuestos por un hackeo
blog.elhacker.net/2026/02/to…
9
144
377
26,734
Justo Martín retweeted
Feb 21
Tras las primeras 24 horas del CTF de la HackOn, hemos detectado comportamiento irregular en diferentes equipos muy altos en el top.
- Resolución de varios retos en un intervalo muy corto de tiempo.
- Submissions con flags erróneas automatizadas.
1
2
4
176
Justo Martín retweeted
Feb 5
Non-nerds are asking how Mr. Al-Qudsi (@mqudsi) is working to reconstruct redacted Epstein data. Here is a high-level summary that isn't as nerdy schizo
Mega tl;dr
> Send email
> Add attachment
> Emails no understand files
> Email turn files in text (Base64 encoding*)
> Image 1 is email turning attachment into text
> Send email
> Someone receive email
> Email reads add-on text
> "oh thats an attachment"
> Transforms into attachment you can see (Base64 decoding*)
> DoJ releases Epstein emails
> Didn't censor attachment stuff
> hehe big mistake, we can recover this
> Boom, all attachments "censored" now uncensored
> All hidden attachments now public
> Go to work
> Problems arise
> DoJ printed emails (???)
> Scanned printed emails back (???)
> Try to rebuild from email stuff
> Fails
> wtf.mp4
> Look inside
> DoJ printed as "Courier New" font
> L and 1 look the same
> Try to reconstruct
> Fails
> Computer can't figure difference between L and 1
> (Look at image 2)
> Can you even tell the difference???
To manually reconstruct all attachments from Epstein emails data forensic experts must find a way to programmatically determine which characters are L's and which are 1's. This is only a problem because the DoJ printed it as Courier New.
Proposed solution right now is bruteforce. Try every possible combination, swapping L's and 1's, check email thing, does it work? No? Repeat. However, this could take a long time.
Another solution is taking known email encoded thingies that work and compare it to Epstein files. Try to identify patterns and reconstruct it using machine learning.
97
385
4,086
335,055
Justo Martín retweeted
Feb 7
Hey @CercaniasVLC, do you think this is a safe way of having a hand dryer plugged in? Your station in Alzira seems to think it's acceptable.
33
184
1,284
406,587
Justo Martín retweeted
Feb 6
Al recoger a mi hijo nos ha dicho la de inglés que tienen una "actividad individual" el día 11.
Yo:un examen.
Ella:Noooo, esa palabra puede agobiar.
Yo: ¿Pero les vas a poner nota?
Ella: bueno sí...
Yo:un examen entonces.
No puedo con tanto cambio inútil , no puedooo
110
403
8,866
93,139
Justo Martín retweeted
Feb 4
Silencio todos.
Los auditores ISO 27001 que nunca han tocado una terminal nos van a decir a los pentesters cómo hackear
22
50
569
20,760
Justo Martín retweeted
Feb 2
This is bad.
Putty level bad.
notepad-plus-plus.org/news/h…
256
1,531
11,530
3,130,589
