Found a SAML SSO bug.
Signed my own claim, used another user’s email, got their account.
No phishing. No password. Just broken trust :)
Different org, same takeover -_-
https://t.co/oaVIYMgdBu
The best hackers I know aren't smarter than me.
They've just read more than me. Somewhere in their memory is the one obscure writeup that turns a dead end into a finding. Preview is that memory, on tap. For you, and for your agent.
-> https://t.co/JQKjIQGWFA
Bypassing LLM security guardrails for AI red teaming usually means crafting payloads from scratch every time... 😓
P4RS3LT0NGV3 by @elder_plinius is a web-based toolkit that automatically transforms prompts using a wide range of obfuscation and encoding techniques to help test how LLMs handle adversarial inputs! 🤠
Check it out! 👇
https://t.co/wzIw1CXe8A
Claude Code Full Sandbox Escape (CVE-2026-55607)
writeup: https://t.co/kzJ04Fqu4Y
prompt injection -> code execution on the host.
works even in read-only permissions mode + full sandbox
(it could be my Pwn2Own bug, but p2o was weird this year lol)
If this does not get resolved this time without visiting branch i’m going to close my account as I can’t keep doing this over and over again for something that is not my fault. I’ll also raise a complaint regarding this to RBI ombudsman and consumer court.
Thread 4/4
@AxisBank
Hello @AxisBank@AxisBankSupport@RBI
I did a transaction by myself for a health insurance premium autopay, then after some time i received a message saying my account has been blocked/debit freeze due to unusual
transaction.
Thread 1/4
I have my EMIs and bills due by 1st of the month how am i supposed to pay for them. I can’t visit branch as i’m not getting a leave from my office and it would cost me unnecessary expenses.
@AxisBank@AxisBankSupport
Thread 3/4
This is happening second time in last 60 days. Previously when it happened i had to visit branch write an application and it got unblocked the same day but this time i’m not in my city and this has become a major inconvenience now. @AxisBank@AxisBankSupport
Thread 2/4
🔁 JWT vulnerabilities are still some of the most impactful auth bypasses you can find in the wild! 🧐
From misconfigured signature validation to algorithm confusion attacks to JWK spoofing, and much more continue to surface in production, even on heavily tested targets! 👀
Our complete guide walks you through 7 practical methods to test for JWT vulnerabilities, with real exploitation steps for each! 😎
Check it out!👇
https://t.co/dlPZuHIlEm
Not everyone who reports to Google Cloud VRP does a writeup, but critical bugs still show up in CVEs and release notes
Made a tool that aggregates both so you can see the types of bugs getting found in GCP
https://t.co/S8C6q67r2N
🚨 New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
Source: https://t.co/EHpSn8wX4C
A new class of indirect prompt injection (IPI) attacks targets Google Gemini's voice assistant, allowing attackers to silently hijack the AI through malicious payloads delivered via everyday messaging apps, including WhatsApp, Slack, Signal, SMS, Instagram, and Messenger.
The core exploit leverages Gemini's Android Utilities agent, specifically the tool that reads incoming notifications. Because this tool processes untrusted data from third-party apps, an attacker can embed malicious instructions directly inside a crafted message.
Once Gemini reads the poisoned notification, it silently incorporates the attacker's commands into the conversational context without the user's knowledge.
#cybersecuritynews
Unpopular opinion:
90% of bug bounty content teaches people how to find low-hanging fruit.
Very little teaches how to think like an attacker and chain vulnerabilities for real impact.
That’s exactly what this playlist covers.
If your methodology starts and ends with automated scans, you’re probably going to hate it. 🥱
https://t.co/z9v7mP0NVC