Tucker Carlson's subscriber database has no access controls. Newsmax was leaking subscriber names and zip codes to anyone who queried an email. Patrick Bet-David's app exposes 290,000 home addresses with zero authentication. Alex Jones' platform lets you pull any user's viewing history.

i reported all four over a month ago. none of them responded. one of them had already been breached before i got there.

Patrick Bet David runs Minnect, a paid advice platform. 290,000+ users. i opened one endpoint. no login. no token. no authentication of any kind.

the response contains full user records. real names. real home street addresses. zip codes. cities. states. countries.

Charles L. at [REDACTED] Cindercone Way, Rio Verde, AZ.
Zeus V. at [REDACTED] Queens Gate, Avon, OH.

these aren't fake profiles. both addresses confirmed against public records. real people who paid Bet-David for advice and got their home addresses dumped into an unauthenticated API.

this is one GET request. no account needed. no cookies. no headers. just the URL.

i emailed Minnect on March 27 with full details. followed up with an April 4 deadline. zero response.

Newsmax had a zero-auth endpoint that returned subscriber PII for any email you queried.

GET sso.newsmax.com/sso/resource-o…{email}?pid=560288637

first name, last name, zip code, country, alternate email, session refresh token, internal ID. no authentication.

i tested it against Newsmax's own accounts. test@newsmax.com returned "LEDRA BAILEY" with internal roles. marketing@newsmax.com returned "Newsmax Marketing" with a role expiring in the year 3001. ceo@newsmax.com returned data with signs of prior unauthorized access (CEO account was defaced by someone else). Someone else found this before i did.

11 accounts sampled. all saved. timestamped March 28.

they silently patched this endpoint. never acknowledged my report.

i went to clickup.com. opened the page source. found a hardcoded API key in the javascript. copied it. sent one GET request.

got back 959 email addresses and 3,165 internal feature flags.

employees from Home Depot. Fortinet. Autodesk. Tenable. Rakuten. Mayo Clinic. Permira. Akin Gump. government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland Australia, and New Zealand. a Microsoft contractor. 71 clickup employees.

fortinet sells enterprise firewalls. tenable makes Nessus, the vulnerability scanner half the industry runs. their employees emails are exposed because clickup hardcoded a third party API key in a javascript file that loads before you even log in.

this was first reported to clickup through hackerone on January 17, 2025. its now April 2026. the key has not been rotated. i just pulled the response five minutes ago. every email is still there.

clickup raised $535 million at a $4 billion valuation. claims 85% of the Fortune 500 use their platform. looks like the proof is in the page source.

the key is a Split.io SDK token. its in the production JS bundle on app-cdn.clickup.com. loads every time anyone visits the site. no account needed. no session needed at all just view source and the SDK key is yours.

one request to split.ios API returns 4.5MB of clickups internal configuration. every feature flag, every targeting rule, every email in every whitelist. billing experiments, churn prevention offers, AI pricing tiers, rate limiter IP whitelists, infrastructure routing.

the emails are inside flags like "ai-brain-as-agent" and "automation-squad-on-schedule-trigger." these are the customers clickup hand-picked for feature rollouts. enterprise accounts or beta testers. the ones they care about most.

theres a flag called "enable-missing-authz-checks." its active. the config lists 5 API endpoints that clickup themselves flagged as having no authorization. they documented their own security holes in a config anyone can read and still havent fixed them.

when i first reported this, one of the flags had a live ClickUp API token embedded in it. a service account for Fairfax County Public Schools. one of the largest school districts in the US. 180,000 students. it pulled 1,066 staff records including their Chief Financial Services data. they removed that token since my report. they never rotated the key that exposed it.

theres a second vulnerability. clickups webhook API has zero SSRF protection.

i made a free account. created a webhook pointing at 169.254.169.254. thats the AWS metadata service that returns IAM credentials. triggered it by creating a task. the webhook fired.
a free clickup account with zero payment can scan their entire internal AWS infrastructure. reported April 8 through hackerone. provided port scans, webhook.site captures with clickups own source IPs, redirect chains to IMDS and Redis, and every non-HTTP protocol confirmed.

19 days. still sitting in "New." no response from clickup.

North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver.
It is sitting on MILLIONS of Windows PCs right now.
It gives any local process full control from the deepest level of Windows.

5 lines of code. Zero validation.
Your antivirus can’t stop what runs below the OS.

One driver. 47 secret commands. Zero access control on any of them.
12 for arbitrary physical memory read/write
6 for raw port I/O at any address
2 for full PCI config space read/write
Dump LSASS. Walk page tables. Patch kernel memory. Disable protected security processes. Kill your EDR. Load unsigned code.

This is what ransomware gangs pay serious money for.

Dell ships it for free. Still officially signed and trusted by Microsoft. Still pushed through Windows Update right now.

I reported this to Dell through Bugcrowd.
They triaged it P2. Told me to take my tweet down. I did.
Weeks later they replied: “duplicate. no bounty. but we’ll credit you on the advisory.”

So they made me shut up, sat on it, and the driver is still signed, still distributed through Windows Update, 0 CVEs, not on HVCI blocklist, not on LOLDrivers till i made an issue.

Lovable has a mass data breach affecting every project created before november 2025.

I made a lovable account today and was able to access another users source code, database credentials, AI chat histories, and customer data are all readable by any free account.

nvidia, microsoft, uber, and spotify employees all have accounts. the bug was reported 48 days ago. its not fixed. They marked it as duplicate and left it open.

Heres how i accessed another user's profile, listed their public projects, and downloaded the source code of an admin panel for Connected Women in AI, a real danish nonprofit. the project was last edited 10 days ago. the developer has 3,703 edits this year. this is not abandoned. this is active.

i extracted the database credentials from the source code and queried it. got back real names, real companies, real linkedin profiles. speakers from Accenture Denmark and Copenhagen Business School. not test data. not "John Doe". real people at real companies who have no idea their information is exposed.

this is not hacking. this is five API calls from a free account.

lovable patched this for new projects. they never patched it for existing ones.

i tested both today. a project created in april 2026 returns 403 forbidden. the same developer's older project, actively edited 10 days ago, returns 200 OK with the full source tree. same API. same endpoint. same free account. same session. one is protected. the other is wide open.

the first hackerone report was filed march 3 2026. lovable marked it triaged. then they shipped ownership checks for new projects and left every existing project exposed. 48 days later nothing has changed.

they chose to protect new users and abandon everyone who already built on the platform.

AMD is shipping a vulnerable kernel driver in the Razer Blade 16 BIOS updater. its sitting in the same folder as ANOTHER vulnerable driver that's been publicly known and documented as dangerous for years

both are signed. both can be weaponized by malware to bypass your antivirus, take complete control of your computer from the inside, read anything stored in memory including passwords and crypto wallet keys, and load ransomware /Malware without your PC putting up a fight

this is exactly what ransomware / malware operators and state backed groups hunt for every single day

BiosToolCommonDriver.sys, internal name `affdriver` AMD Field Fusing / RPMC. 47KB. WHQL + AMD Sectigo dual signed, signed october 2023. AMD's cert has since expired but the timestamp keeps the sig valid, still loads on current Windows

18 IOCTLs, all ghidra confirmed, all verified with a working PoC

any admin level process opening this device can read or write any physical memory address up to 4KB per call, read or write any PCI device's config space, read or write any CPU MSR with no allowlist (one write to IA32_LSTAR redirects every syscall on the system through attacker code), do raw port I/O across the full 64K range including keystroke injection via the i8042 keyboard controller, read BIOS flash contents directly, allocate contiguous DMA buffers, and translate any virtual address to physical which breaks KASLR

admin only device ACL is meaningless in BYOVD because attackers already have admin when they load the driver. not on microsofts HVCI blocklist. no CVE. densest primitive set ive seen in a single WHQL signed driver

okay why should you care about some obscure AMD driver if youre not a reverse engineer

malware on your machine still has to beat your AV and EDR before it can do real damage. vulnerable signed kernel drivers like this one are exactly how ransomware operators kill your protection from ring 0 before they encrypt anything

every driver we burn is one less weapon in the ransomware toolkit. thats why this matters

Windows defender has been compromised.
right now there is a public unpatched exploit that gives any app on your windows PC full system admin access. no password. no popup. nothing

your antivirus doesnt stop it. your antivirus IS the exploit. windows defender is the attack vector

ransomware gangs can use this to encrypt your entire machine and steal every saved password, browser session, and discord token you have. fully patched windows 11. real time protection on

thread

when defender finds a suspicious file with a cloud tag it tries to "fix" it by rewriting the file back to its original location

the exploit races this with an oplock and a junction. defender thinks its writing to a temp folder. its actually writing into C:\Windows\System32. defender delivers the payload for you

no admin. no UAC. your antivirus is the payload delivery mechanism

heres where it gets crazy. this isnt some random bug. the same person dropped 3 windows 0days in 13 days

BlueHammer (april 2) - defender LPE. got CVE-2026-33825. patched
UnDefend (april 12) - blocks all defender updates permanently
RedSun (april 15) - this one. still unpatched

they claim MSRC dismissed their reports and "ruined their life." direct quote from their blog: "I was not bluffing Microsoft, and I'm doing it again"

they are threatening to drop an RCE next