Upon my return to the United States from a trip to Japan, I was directed to a secondary inspection room where I was presented with a Grand Jury subpoena by officers from the IRS-CI and DHS. The subpoena required me to appear in New York to provide testimony for wire fraud. 🧵 For about an hour they asked me vague questions related to a "high profile phishing campaign" and how my IP address could've end up being "tagged" to a threat actor, showing me a manila folder with my own photo, my home IP address, and some random social media accounts of mine.

More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.

Here's how we found it, and how it works: After finding individual vulnerabilities affecting different car companies, we became interested in finding out who exactly was providing the auto manufacturers telematic services.

We thought it was likely there was a company who provided multiple automakers telematic solutions.

We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012.

To explain how it worked and how we found it, we have @_specters_ as our mock car thief: Our finding began with @_specters_ reaching out to @bbuerhaus and myself to help explore potential security issues affecting vehicle telematics services.

Most car research we'd seen in the past involved really cool crypto attacks on physical keys, but what about the websites?

Between July 7th to July 17th, 2022, we formed a small team of hackers and collectively hunted for vulnerabilities on John Deere’s security program.

During our 10 day engagement, we found 100 unique vulnerabilities with 50 rated critical, 32 high, 14 medium, and 4 low severity. Throughout the process, our most impactful finding allowed us to provision, modify, impersonate, and delete all John Deere SSO and LDAP users across the entire organization with full access to hundreds of internal and employee-only services including…

Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. The attacker is claiming to have completely compromised Uber showing screenshots where they’re full admin on AWS and GCP.

Over the last few months, we found a number of vulnerabilities in the largest Discord plugins (Dyno, MEE6, CollabLand) which would've allowed attackers to become administrators, send messages, and DM users.

The tagged hack happened a few days after we accidentally triggered /1

https://twitter.com/WillyTheDegen/status/1509771063265091587

an "@Everyone" message to be sent in a large public server using the Dyno bot, and I'm wondering if the hackers noticed this and began looking themselves? These bots have a massive amount of trust (admin roles on >1mm servers, people click URLs willingly, etc), and for /2

I think my router or ISP has been hacked, but it's the strangest thing of all time: every time I send an HTTP request to an IP address, a follow up HTTP request is sent to the exact same URL by a Digital Ocean box. I've confirmed that... (1) All devices on my WiFi will have their HTTP request replayed if sent to an IP address
(2) It doesn't matter what IP address it is (I've tested this on different IPs from different places)
(3) I've factory reset my modem and the behavior is the exact same every time

Found some fun vulnerabilities on Instapage and HubSpot with @bbuerhaus, @sshell_, and @xEHLE_. Here's a thread with a couple mini writeups for them:

There are a few routes on the Hubspot CMS which are actually reverse proxies to Hubspot's CDN, you can see the "hs-fs" one below: The "hs-fs" directory is pointed towards some CDN owned by Hubspot which all customers are allowed to add JavaScript and CSS to, but after registering to the Hubspot portal we found that you could deploy HTML files directly via a legacy API.

It's frustrating, we reported a SQL injection vulnerability to the Vulcan Forged bug bounty program 6 months ago that let you pull master private keys and plaintext passwords. This vulnerability had a similar level of impact, but was rewarded with $2,000. (1/5)

https://twitter.com/RektHQ/status/1470431503045828614

Over the last year or so we've hacked on tons of Web2
crypto programs which are custodial wallet or are trusted mediums for people to interact with huge amounts of money, but the vulnerabilities are consistently paid <$5k when the *real* amount of risk is >$100m. (2/5)

Client side path traversal is a really fun thing to explore for CSRF and XSS. Revisited an unexploitable blind SSRF which (1) required the authorization header to be sent and (2) passed the authorization header to the provided "url" parameter. This would be account takeover ... ... but, you can't directly CSRF a victim into sending an authorization bearer, therefore you can't trigger the CSRF and steal their token via the blind SSRF which forwarded the header. Luckily for us, the blind SSRF API call was via GET (/example?url=https:// + auth header) ...

Since it's 2021 I'd like to go ahead and disclose some bugs I wasn't able to talk about in 2020. These were issues that either got NDA'd or had long remediation timelines.

The following are quick summaries and proof of concepts for some of the simpler bugs: 1. IDOR on Apple via "X-Dsid" header allows attacker to retrieve name, credit card information, addresses, and various PII of any Apple users via DSID
Bounty: $25,000

Could create a "god cookie" which had access to all Apple customers name, address, phone, and billing info.