RentAHuman -- the platform where "AI Agents" hire real humans for physical tasks - leaked its entire user database.

187,714 personal emails (at the time), all it took was few minutes, some tokens and one Claude Code command.

Here's how my AI attacker found it 🧵

I've been running my simple AI Attacker agent on new trendy AI platforms as soon as they launch in order to help them fix trivial risks, colleague of mine pointed me to a website called , a few days after I found @moltbook's database exposure.rentahuman.ai

All it takes to try and hack these kind of vibe-coded websites that ship code so fast comes down to simply telling claude code "Vibe Hack {Website}"

I gained complete access to @moltbook's database -The AI Agents Social Network - in under 3 minutes.

API keys of every agent. Over 25k email addresses. Private agent-to-agent DMs, and full write access.

Simply by browsing like a normal user.

Here's what happened 🧵

@moltbook The mega weekend hype about the platform got me curious to see how it worked, especially the following tweets from @karpathy and others calling it "genuinely the most incredible sci-fi takeoff-adjacent thing"

https://x.com/karpathy/status/2017296988589723767?s=20

@moltbook @karpathy I set up @openclaw via telegram, signed up to @moltbook and already got super scared that my agent will post my keys over the platform - so I just took the API Keys from the credentials file on the machine and deleted my agent machine to experiment further

Introducing my Bug Bounty Masterclass. 100% free.

I've made $2,000,000+ finding security bugs. I spent the last year turning my methodology into a complete blueprint.

4 hours of video - foundations, reconnaissance, web proxies, hands-on challenges, and certification.

Finish it in a weekend and start hacking real-world applications 🐞

Excited to see what bugs you all are going to find!

wiz.io/bug-bounty-mas…

The course is split to 5 main chapters that could guide anyone from 0 to finding their first bug, 100% guaranteed! especially if you augment yourself with Agents like @claudeai Claude code :)

We found a way to access Max Verstappen's passport, driver's license, and personal information. Along with every other @Formula1 driver's sensitive data.

It took us 10 minutes using one simple security flaw 🧵

Together with @samwcyo and @iangcarroll - all 3 of us being avid Formula1 Fans, we were looking at the security of the whole ecosystem.

That's how we stumbled upon a severe vulnerability in a critical portal managed by the @fia, that was reported and fixed in <24 hours.

To race in F1, drivers need an FIA Super Licence - the golden ticket of motorsport.

The @fia (@F1 1's governing body) also categorizes drivers as Bronze/Silver/Gold/Platinum for other racing events.
This is managed through a web portal - driverscategorisation.fia.com

I hacked a popular vibe coding platform with a simple, straight-forward logic flaw - allowing access to private applications . Here’s how I did it 🧵

As Vibe Coding Platforms are on the rise, I was intrigued with the question on how secure they really are, targeting @base_44 which was recently acquired by @Wix allowed me to access private applications of enterprises trusting their platform.

The external attack surface of the Vibe Coding platform is relatively small, we basically have:

1. The marketing website - base44.com
2. The main application - app.base44.com
3. The public docs - docs.base44.com

So I didn't expect to find much from an unauthenticated perspective...

Critical vulnerabilities doesn't have to be complex or have a CVE - @deepseek_ai publicly exposed their internal ClickHouse database to the world, without any authentication at all, and leaked sensitive data.

No one is safe from security mistakes, follow along to learn more 🧵

@deepseek_ai @wiz_io When facing the task of discovering vulnerabilities on a specific company, the first step is to identify the externally facing attack surface, and later exploiting potential vulnerabilities - in this case, the 2 steps combined all together.

It all starts with DNS Discovery!

Taking our target root domain (for Bug Bounty / Responsible Disclosure) such as deepseek[.]com, we will want to feed it into DNS Discovery tools, those divide to 2 main workflows - Passive & Active.

In the passive sense, we want to query public DNS datasets all over the internet and collect known subdomains of our target, the best way to do that is using a tool such as subfinder by @pdiscoveryio

In the active sense, we will collect public wordlists with hundreds of thousands of domain names, and will try to fuzz and "guess" additional valid domains under our target - deepseek[.]com, such as "admin.deepseek[.].com" etc,etc...

For this task, a tool I recommend is Puredns github.com/d3mondev/pured…

Which is simply run by the following command:

Additionally, there are more techniques such as permutation (adding dev-admin.deepseek[.]com for example) but we will leave it like that.

The goal of this phase is to collect a list of valid subdomains, and save them all in a single place.

Valid subdomain in our sense - a DNS record that has an IP Address or points to another asset.