Olivia
Online
Aaron Costello
@ConspiracyProof
🇮🇪 ✝️
Chief of SaaS Security Research @ AppOmni
Opinions may be that of James Joyce or Samuel Beckett who occasionally channel their spirits through me.
Ireland, Capital of Europe
Joined January 2012
309 Following
1.8K Followers
308 Posts
Pinned Tweet
‼️ New Research Drop ‼️
I’m excited to share my latest @AppOmniSecurity Labs research: a CVSS 9.3 critical vulnerability in #ServiceNow’s AI platform.
It's dubbed "BodySnatcher" (CVE-2025-12420) because of its novel exploit path: it allowed an unauthenticated attacker to impersonate any user on the platform and execute powerful out-of-the-box (OOB) AI agents with the victim's permissions. The result? Complete platform takeover.
Read my write-up here for the juicy technical details: https://t.co/TvnOswPiW2
#cybersecurity #ai #saas #vulnerability
AI Security Digest – Week 2, 2026
1️⃣ ZombieAgent, new ChatGPT vulnerabilities let data theft continue and spread - https://t.co/uvLjJpUp4I - @radware
2️⃣ OWASP Agentic AI Top 10, threats in the wild - https://t.co/MbKjvgzalQ - @Lares_
3️⃣ AI Tool Poisoning, hidden instructions threaten AI agents - https://t.co/s9sH6tPOtX - @CrowdStrike
4️⃣ Broken authentication and agentic hijacking in ServiceNow, BodySnatcher - https://t.co/GpzR49V4Wi - @ConspiracyProof, @AppOmniSecurity
5️⃣ IBM AI (“Bob”) downloads and executes malware - https://t.co/nUjfeYHej3 - @PromptArmor
6️⃣ The first question security should ask on AI projects - https://t.co/vPUew38vNU - @cloudsa
7️⃣ Pwning Claude Code in 8 different ways - https://t.co/wTuFzv9epn @flatt_sec_en
8️⃣ Inside GoBruteforcer, AI generated server defaults, weak passwords, crypto focused campaigns - https://t.co/IG7jt7BNds - @_CPResearch_, @CheckPointSW
9️⃣ Where AI systems leak data, a lifecycle review of real exposure paths - https://t.co/TRgQvdWZ9q - @Praetorian
🔟 Lack of isolation in agentic browsers resurfaces old vulnerabilities - https://t.co/pTVPuKId8s - @trailofbits
1️⃣1️⃣ Weaponizing Apple’s AI for offensive operations, Part 2 - https://t.co/Wf9pT6xQKL
1️⃣2️⃣ What AI agents can teach us about NHI governance - https://t.co/qNofCDm16b - @GitGuardian
1️⃣3️⃣ Threat actors actively targeting LLMs - https://t.co/OayYR2tSHO - @GreyNoiseIO
1️⃣4️⃣ AI’s bottleneck isn’t models or tools, it’s security - https://t.co/hteiG6GZIi @ZackKorman
1️⃣5️⃣ Turning AI safeguards into weapons with HITL dialog forging - https://t.co/G9d9I3joaF - @Checkmarx
1️⃣6️⃣ The agent security paradox, trusted commands in Cursor become attack vectors - https://t.co/FZ5zCmJBua @Pillar_sec
1️⃣7️⃣ Bad vibes, comparing the secure coding capabilities of popular coding agents - https://t.co/6xL4yyhBcW @Tenzai_Labs
1️⃣8️⃣ Why your AI agent needs different monitoring, Part 1 - https://t.co/b7rxIoE20V
1️⃣9️⃣ Remote code execution with modern AI/ML formats and libraries - https://t.co/w4HO2jZRCD - @Unit42_Intel, @PaloAltoNtwks
2️⃣0️⃣ The map is not the territory, the agent tool trust boundary - https://t.co/jySSqeBl13
2️⃣1️⃣ AI Security Guide, 300 plus pages of practical guidance on protecting AI and data centric systems - https://t.co/S9VHScGZyy - @owasp
2️⃣2️⃣ Process to build agents across your organization, build secure process - https://t.co/jc7k1awEEy - @Microsoft
@martin_vigo Appreciate it brother, but it's not as cool as tracking down a major cellphone theft operation 😉
@TheHackersNews Thank you for covering my research!
Who to follow
William Bowling
@wcbowling
Head of Assurance at @zellic_io, a.k.a vakzz when doing bug bounties and CTFs with @pb_ctf - https://t.co/9bjECLAwXg
Tabahi 
@_tabahi
high and hacking! writeups @witcoat !
Omkar Mali🇮🇳
@OMK4RM4LI
• Yogosha Strike Force • Red Team at @pentabug• CEH• CPENT• LPT• CTF Player ⛳• Gamer🎮• Security Researcher
@monkehack @ngalongc @ngalongc Definitely take a look at my whitepaper on auditing custom Apex :)
https://t.co/kA8hIzlRVr
Unfortunately (for us), no default CRUD for Custom Objects. 99% of objects will always be dictated by Guest Sharing Rules (and read perm on object via profile) explicitly. Pre Winter '21 release, orgs could set 'View All' object permission for Guest Users which overrode Sharing Rules 😢
@ngalongc @OriginalSicksec @bibek0x01 Glad to hear my blog was helpful for you! Feel free to reach out if you have any Qs about Salesforce hacking. Been doing this sh*t for 4 years 😅
Spoke to @ConspiracyProof about his discovery of 1.1 million NHS employees' records being leaked online, Aaron previously discovered a HSE data breach that left the data of 1 million people vulnerable.
Want to know how you can hack Microsoft Power Page websites? How I was able to access (and later secure) PII of 1.1 MILLION #NHS employees? With my latest blog post, you can learn how to pentest a Power Page site for data leaks in as little as 2 minutes. Check it out below:
https://t.co/ZoQ9Qc74XH
#bugbounty
More than 1,000 ServiceNow instances have been discovered to be exposing potentially sensitive Knowledge Base data, according to @ConspiracyProof, chief of SaaS security research at @AppOmniSecurity.
https://t.co/OzWi3Z7M4q
@rez0__ Pleasure is mine brother, thank you 🙏
https://t.co/ufuvAMciSL
Want to know how I could've hacked thousands of Oracle NetSuite sites in order to extract sensitive information? It was so severe that within days, Oracle rolled out multiple hardening measures to reduce the risk of it happening again.
If you're a pentester, security engineer, NetSuite admin or a bug bounty hunter, this is a must read as I can guarantee that these issues will rear their again head in the future!
Spoke to @ConspiracyProof about his discovery of the HSE vaccine data of one million people being exposed, and how he published a warning on the vulnerability one year before.
@darraghduffy @adrianweckler Assuming they were able to confirm there was no data exposed, IMO it goes from being an obligation, to a responsibility, to disclose. Not necessarily to the DPA, but to the public.
They could've come across well IMO given the timeframe in which they remediated the issue.
@darraghduffy @adrianweckler This is the thing, there was more than one way to access this information. It's difficult to say from where I'm standing if they analysed the various sources of logs sufficiently, as I was given no evidence.
Cont.
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.3M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.9M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers