Visit target.com --> SSO Visit target.com/admin--> login Reviews Javascript --> if (data == 'SUCCESS') { location.href = "/admin/<snipped>?uname=" username ""; } Visit: target.com/admin/<snipped>?uname=admin Admin Access... #bugbountytips

What the AI drafted AI AI is this AI tweet?

Private repo theft now has a lot more nasty implications...

“Young relatives forced to commit sex acts on each other” The New York Times didn’t want this to be the conversation. The editors signed off on fictional raping dogs instead. Read what happened on October 7.

Waiting for the bingo card response of “no place for antisemitism in our society” from politicians and media who have helped stoke this crisis

Growing up in the UK, I’ve never had someone approach me and say “what are you doing around here” for being black. This happened to a Jewish man who was simply doing his job. Combined with the arson attacks, British Jews are targeted in ways people like me aren’t. A sickness.

Uhhh

It's quite something to see this all written down:

There was an air of inevitability about it. Nobody knows when or where the next antisemitic outrage will emerge, but with every fake post about Israel killing babies, with every biased BBC report whipping up the animus of viewers, with every chant of “globalise the intifada” on university campuses, death comes one step closer. Now, it would appear it has come to Bondi Beach. That Australian paradise is always packed with partygoers, joggers, picnickers and the elderly, enjoying the sea and the summer sun. In the last few hours, it was the location of a family Chanukah party that reportedly attracted about 2,000 people. And a mass shooting... My @Telegraph column today. telegraph.co.uk/news/2025/12…

Which model suggested this is the question

UN on Francesca Albanese: “The special rapporteurs will say what the special rapporteurs say. For the Secretary General, it is very clear that journalists should never come under any violence, wherever they may be, whether that violence is physical, whether that violence is verbal, whether they are intimidated.” — @UN_Spokesperson in response to this query by @Mike_Wagenheim @i24NEWS_EN: “Francesca Albanese, who continues to put the “special” in “special rapporteur,” weighed in recently on the attack on an Italian media outlet which led to 30 arrests for vandalism. While she condemned the attack, she said: “This should serve as a warning to journalists to go back to doing their job." Which was condemned by a wide swath of the Italian political spectrum, as basically an intimidation tactic on the press there. The Secretary General just stated yesterday, I believe that you know, “journalists need to be protected from this kind of intimidation.” Any thoughts from the Secretary General or his office on the latest comments?”

Pretty neat and interesting how much of a fine line before it goes overboard and attempts to follow your instructions

LLM driven bedtime routines #gemini3

Zero surprises here. Attack vectors don't need to be sophisticated as much as just needing to be persistent and trying all variants possible.

Compliance be compliancing

I’ve been training LLMs to recognise vulnerability chains and revisiting my favorite bug bounty reports to understand what patterns they can be taught to spot. Let’s look at this example of a ticketing platform's booking flow that leaked millions of PII records. This wasn’t  a zero-day or some sophisticated exploit, but a combination of  4 separate bugs that any decent scanner might find and file as Low/Medium severity. However, in combination, potentially genuinely damaging. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟭: 𝗧𝗵𝗲 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗔𝗻𝗼𝗺𝗮𝗹𝘆 (medium severity) Most of the ticketing platform’s site used cookies, but the booking API switched to a custom header for user identification. Whenever auth does something unexpected, you want to pay attention. I was able to change the header to a different user's ID and see their data, although only partially, it was missing emails and other fields. This bug demonstrated a routing issue, but incompletely. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟮: 𝗧𝗵𝗲 𝗣𝗮𝘁𝗵 𝗧𝗿𝗮𝘃𝗲𝗿𝘀𝗮𝗹 (medium severity) The ticketing platform’s API ran on Apache, which handles file paths in specific ways. I sent ../../../../api# as the header value - telling the server "go up four directories" and ignore everything after the #. The response changed timing and structure. It worked, but blindly - I was moving through directories but couldn't see where. This bug was confirmed exploitable, but I needed a way to make it meaningful. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟯: 𝗧𝗵𝗲 𝗘𝗿𝗿𝗼𝗿 𝗠𝗲𝘀𝘀𝗮𝗴𝗲 (low severity) I sent an invalid user identifier to a different endpoint on the platform to see what would break. The error response included: "self":"/api/<redacted>/;user={xxxxx}/profile" This leaked the internal path structure - how the system organizes and stores user data. ━━━━━━━━━━━━━━━━━━━━ Bug #𝟰: 𝗧𝗵𝗲 𝗦𝗲𝗾𝘂𝗲𝗻𝘁𝗶𝗮𝗹 𝗜𝗗𝘀 (informational) While testing other endpoints, I noticed another identifier type in the responses, tied to accounts, not users. These IDs were sequential: 3443123, 3443124, 3443125 ━━━━━━━━━━━━━━━━━━━━ 𝗕𝗿𝗶𝗻𝗴𝗶𝗻𝗴 𝗜𝘁 𝗔𝗹𝗹 𝗧𝗼𝗴𝗲𝘁𝗵𝗲𝗿 For Real Impact Four findings. Four tickets. Different teams. Different severities. But combined, a major breach of PII. Here's the chain: X-User-ID: ../../../../api/<redacted>/;account=3443125/profile# This combines: • Path traversal escapes the directory • Internal structure from the error maps the route • Sequential account ID replaces the random user ID • Access control weakness reads the data The result: Full user profile is revealed: name, DOB, address, email, phone, and more. In other words, a Complete database enumeration. ━━━━━━━━━━━━━━━━━━━━ 𝗧𝗵𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻 A scanner may find these issues in isolation but can't see that Medium Medium Low Info = Critical breach. This is the direction LLMs can work towards with the right context: models that recognize not just individual bugs, but the investigation paths that connect them. #BugBounty #Security #VulnerabilityManagement

Day in the life... #claudecode

My 7 year journey at HackerOne recently came to a close🏁 It's been an incredible run working with the best people and being part of something that transformed the security industry. Working there gave me a unique vantage point: the intersection of the world's best security researchers and the teams defending our most critical infrastructure. Leading initiatives that drove over $20M in bounty payouts, I watched brilliant hackers uncover vulnerabilities that traditional tools completely missed, while enterprise security teams grappled with overwhelming complexity. Through it all, one thing became clear: the gap between offensive discovery and defensive understanding is still surprisingly wide. It was a privilege to be trusted by both sides - by researchers who'd spent weeks crafting elegant attack chains, and by CISOs who had to make impossible decisions with incomplete information. Both groups are incredibly sophisticated, but they often speak different languages. Translating between them, turning a complex finding into clear business context, taught me more about where security breaks down than any single role ever could. I'm immensely grateful for every conversation and every moment of bridging those worlds. It's a journey that began in Las Vegas and has taken me across the globe to lead live hacking events - from Tokyo and Singapore to Dubai and Argentina. Ending this chapter with a final event in Sydney feels like the perfect closing note. Something new is coming. More soon. 👀

Excited to be part of #HackAIcon. Great lineup - lots to discuss with AI reshaping everything we thought we knew about security