Olivia
Online
Mochammad Nosa Shandy
@LocalHost31337
infosec bro that mentally unstable | {insert your certification here}
Joined April 2015
1.6K Following
2K Followers
6.8K Posts
Pinned Tweet
So, on August I've found clickjacking on google worth 7,500$ , This is the write up : https://t.co/88F70Mzlpr Thanks to all of the community who teach me a lot for finding a bug. Specially for indonesia bug hunter community. 🙏
@brutecat Awesome article to read as always, thanks for sharing with us. Although not sure how many days I need to understand the whole article.
Hacking Google with A.I. for $500,000
https://t.co/S8NbDU9ZaN
Bismillah.
Just released an open-source tool for automating VirusTotal-based recon and attack surface exploration.
InshaAllah it can help with asset discovery, correlation, recursive subdomain enumeration, URL discovery, and JavaScript analysis.
https://t.co/tbefCw4tXN
StubZero: $148,337 RCE in Google Cloud Production
https://t.co/m7cBnSTaj4
Speaking to yourself in third-person is a performance enhancer.
Across 7 studies, people who used “you” or their own name instead of “I” under social stress had:
↑ objective-rated performance
↓ distress
↓ post-event rumination
That's a wrap on Pwn2Own Berlin 2026! 🏆 $1,298,250 awarded. 47 unique 0-days. 3 days of absolute chaos. And talk about main character energy - congrats to DEVCORE for claiming Master of Pwn with 50.5 points and $505,000 - they never slowed down. See you next year! #Pwn2Own #P2OBerlin
you’re 22. you scroll 3 hours a day. it feels harmless
at 28 you can’t read an article without checking your phone twice per paragraph
at 32 you don’t understand why nothing you start ever finishes, you’re still dreaming of this project you wanted to start. still no time
at 40 you’ve never finished a book in a decade.
it all passed
Here’s the sauce:
- agent md file with lots of disclaimers about how it’s approved testing
- a bunch of hacking skills
- /goal find a crit on target . com
That’s literally 90% of the way there and enough to blow anyone’s mind who hasn’t been convinced yet.
That's my chain — a full chain w/ logic bugs only! No memory corruption, no AI, and of course no collisions at all 😉
Phone-free for 72h?
Study shows your brain’s reward centers reset after just 3 days of restriction.
Escape the scroll, reclaim your focus, and rebalance your dopamine!
last month I reported a critical SSRF that led to JS execution in a headless Chrome ദ്ദി・ᴗ・)✧
if you're curious, I wrote a full article on @yeswehack! :p
Had some fun finding and exploiting state machine logic bug in af_alg_sendmsg last year, it leads to OOB access, arbitrary write then container escape that unnoticed since 2011
kernelCTF writeup: https://t.co/Jwx4lByKyE
Fix commit: https://t.co/TazItEgqMw
I try to be eventually consistent so here it is:
https://t.co/u5DYKjSfLJ
This educational writeup goes over a Service Account impersonation chain leading to vertical privilege escalation within Google SecOps SOAR
Kudos to @GoogleVRP for enabling this kind of research!
Bug write-up for "Google AI Studio XSS" https://t.co/ubhArPvSl0 (ノ*・ω・)ノ
🔐 Account Takeover via CSPT with Subsequent 2FA Bypass through Prototype Chain
Step 1. Client-Side Path Traversal
The CSPT primitive is fairly typical: the attacker changes the invite-sending request path "PUT /api/v2/teams/<teamId>/invites/<inviteId>" to the email-change endpoint "PUT /api/v2/user".`
`
As a result, when the victim follows the invite link, the client sends a request that changes the victim’s email address to one controlled by the attacker.
The interesting part is that CSPT only gives control over the URL, not the request body. According to HTTP semantics, PUT usually carries the new resource state in the request body. In this case, however, the server did not strictly require the new email to be supplied in the body and accepted it from a query parameter instead. This made account takeover possible.
Step 2. 2FA Bypass via Prototype Chain
Next, the researcher needed to log in to the compromised account and pass the OTP check. This was bypassed by sending "proto" instead of a valid code.
The issue relies on JavaScript property lookup. When reading an object property, JavaScript first checks the object’s own keys; if the key is not found, it continues up the prototype chain to "Object.prototype".
Based on the observed behavior, the server likely checked OTP validity with logic similar to:
│
│ if (pendingCodes[code]) {
│ // issue session
│ }
│
When the attacker sent: "X-2FA-Code: proto" there was no own key named "proto" in "pendingCodes", but "proto" is an inherited property available on ordinary JavaScript objects. Therefore, "pendingCodes["proto"] "returned the object prototype — a truthy value. The condition passed, and the server issued a session.
📎 Article: https://t.co/dcIcRdn0JR
#dbugs_attacks
![ptdbugs's tweet photo. 🔐 Account Takeover via CSPT with Subsequent 2FA Bypass through Prototype Chain
Step 1. Client-Side Path Traversal
The CSPT primitive is fairly typical: the attacker changes the invite-sending request path "PUT /api/v2/teams/<teamId>/invites/<inviteId>" to the email-change endpoint "PUT /api/v2/user".`
`
As a result, when the victim follows the invite link, the client sends a request that changes the victim’s email address to one controlled by the attacker.
The interesting part is that CSPT only gives control over the URL, not the request body. According to HTTP semantics, PUT usually carries the new resource state in the request body. In this case, however, the server did not strictly require the new email to be supplied in the body and accepted it from a query parameter instead. This made account takeover possible.
Step 2. 2FA Bypass via Prototype Chain
Next, the researcher needed to log in to the compromised account and pass the OTP check. This was bypassed by sending "proto" instead of a valid code.
The issue relies on JavaScript property lookup. When reading an object property, JavaScript first checks the object’s own keys; if the key is not found, it continues up the prototype chain to "Object.prototype".
Based on the observed behavior, the server likely checked OTP validity with logic similar to:
│
│ if (pendingCodes[code]) {
│ // issue session
│ }
│
When the attacker sent: "X-2FA-Code: proto" there was no own key named "proto" in "pendingCodes", but "proto" is an inherited property available on ordinary JavaScript objects. Therefore, "pendingCodes["proto"] "returned the object prototype — a truthy value. The condition passed, and the server issued a session.
📎 Article: https://t.co/dcIcRdn0JR
#dbugs_attacks](https://pbs.twimg.com/media/HHotf7VW4Ack8Ax.jpg)
@nikkoep 15 tahun masih main ayodance
when react2shell hit last year, i think vercel handled it brilliantly.
to protect their users, they paid $50,000 for every bypass researchers could find. we decided to participate, and ended up earning $170,000.
read how we did it here: https://t.co/2dM6Mf9PHU
I'm excited to finally publish the writeup for my first @GoogleVRP vulnerability, leaking phone numbers and other sensitive information of Google Support customers (rewarded with a $14k bounty).
https://t.co/bhB2Y88q4D
enjoy the writeup folks
Last Seen Users on Sotwe
Queenjigglypie 👑 
chudai hijab
Seen from Indonesia
خالد بن عبدالله
Seen from France
Düzce Cuckold Çift Defne
Seen from Turkey
蜜柑(みかん)🍊AIイラスト
Seen from Egypt
ด้านมืด โชว์เมีย
Seen from Thailand
turk & yabanci porno videolari
Seen from Turkey
Fahad Aff
Seen from United Arab Emirates
pasutri smd
Seen from Indonesia
Juhidas
Seen from Germany
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers