![IntCyberDigest's tweet photo. ๐จ SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.](https://pbs.twimg.com/media/HG7BaicacAASElL.jpg)
Olivia
Online
Liam ๐บ
@LiamRumpyPumpy
Dev and crypto degen | Met Carlito in ASDA
England, United Kingdom
Joined January 2022
3.4K Following
481 Followers
2.8K Posts
ย Pinned Tweet
Put it in the Louvre
Good to see this back on the TL. Hall of fame video
$200.
He just quit his job to flip cards full-time. Now have PSA pause all value subs
Who to follow
Him being arrested
I went on a date in Seoul and I think I just got dumped over my asset allocation.
She asked what I invest in. I said index funds, some ETFs, nothing wild. She put her chopsticks down and said โso you have no convictionsโ.
then asked if Iโve ever held a position through a 60% drawdown. I said no. She said โthen youโve never loved anythingโ.
bro I came here for bibimbap not a TED talk
Bryan Johnson rediscovered Asian Aunties from first principles
โUntil death, all defeat is psychological."
youโre only delusional until you win
Thomas Tuchel after sabotaging that England squad
โHeโs about to fill up his tank. End the ceasefire.โ
If Anthropic was a cult, and Iโm not saying they are. They should declare all datacenters as sacred places. And then sue for religious discrimination when local cities try to cancel datacenter construction
2023: Corona ended
2026: Hantavirus
Getting laid off and then thanking the company on Linkedin is next level wage cattle
holy shit he beat the fuck outta him LMFAO
๐จ SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.
![IntCyberDigest's tweet photo. ๐จ SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.](https://pbs.twimg.com/media/HG7DMN3X0AAflfN.jpg)
New Anthropic research: Project Deal.
We created a marketplace for employees in our San Francisco office, with one big twist. We tasked Claude with buying, selling and negotiating on our colleaguesโ behalf.
when you work for a crypto project and finally meet the founder
When I spend 1M tokens and the <div> still isn't centered
๐จ ๐๐๐ ๐ฌ๐ข๐จ ๐๐ก๐ข๐ช: In 2021, Ukranian police raided what they thought to be an illegal crypto mining farm.
Instead, they found thousands of PlayStation consoles stacked on racks running FIFA 21 on autopilot.
They were farming Ultimate Team coins 24 hours a day to sell on the black market.
The operation was causing power blackouts across the entire city, and the consoles alone cost around $1.5m.
Back then, these coin farms could produce up to $3-5m a year.
Guy who fucks up and takes pesticides instead of peptides
Last Seen Users on Sotwe
handyman
Seen from Thailand
luckyql777-ๅๅ๏ผๅฎๆด็ๅจไธป้กต๏ผ
Seen from Vietnam
็บข็ณ่ๆกๅท๏ผไบๆจ็๏ผ
Seen from Japan
Shakil Hossain
Seen from United States
Yudi12
Seen from Indonesia
ู
ุณุชุฑูุณ ู
ู ๐
Seen from Egypt
เธซเธเธถเนเธเธฅเธดเธเธเนเธญเธข ๐
Seen from Singapore
bapak lokal
Seen from Indonesia
ุญุตุฑูุงุช ุงุณุทูุฑูุฉ ๐ฅ๐ฉ
Seen from Italy
Pedro Hot ๐ฅ
Seen from Argentina
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.3M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers