abdulbasithk.p @abdulbasith1205 - Twitter Profile

3 days ago

Nebula Security is now backed by Y Combinator. We’re celebrating by bringing you the world’s first Android 17 root demo — “IonStack”, a url click can let attacker fully control your phone. This is not only an Android root demo. We’re bringing you a full chain browser-to-kernel exploit with two 0-day vulnerabilities affecting Firefox before v151.0.2 and all Linux distros in 15 years. "IonStack" demonstrates how bad actors can control your phone by sending a malicious URL, but good news, Nebula Security found it before attackers do. Both 0-day were found by our code scanning agent, VEGA, overshadowing any vulnerabilities found by Mythos or any scanner you name it. VEGA has demonstrated its extraordinary capability in finding critical bugs in the world’s most complicated software: operating systems and browsers. It can spot the same vulnerabilities in your codebase too. VEGA support full scan and incremental scan that can integrated into your CI/CD flow. We launched VEGA within YC companies and received overwhelmingly positive feedback. Now it is open to all enterprise customers in private beta. Book a demo with us: https://t.co/eXHKhnE8gC

16

576

105

309

182K

abdulbasithk.p @abdulbasith1205

6 days ago

@hetmehtaa AI is a hype only 😁😂

0

1

0

14

abdulbasithk.p @abdulbasith1205

6 days ago

@hetmehtaa 😂

0

1

0

385

abdulbasithk.p @abdulbasith1205

10 days ago

@apurvajain24 Vpn is a working 😂😁

0

16

abdulbasith1205 retweeted

0xfff0800 @0xFaLaH

11 days ago

سويت برنامج Obsidian — Mobile Security Research عبارة عن تقيم أمان تطبيقات الجوال 🔐 مدموج فيه الذكاء الاصطناعي- يعمل على macOS و Linux المميزات : اتصال ssh - سحب التطبيقات مباشرة - تصفح ملفات التطبيق - تحليل binary - اكتشاف نقاط الضعف التطبيق - حقن مباشر وغيرها .. يتبع 👇

0xFaLaH's tweet photo. سويت برنامج Obsidian — Mobile Security Research

عبارة عن تقيم أمان تطبيقات الجوال 🔐

مدموج فيه الذكاء الاصطناعي- يعمل على macOS و Linux

المميزات :

اتصال ssh - سحب التطبيقات مباشرة - تصفح ملفات التطبيق - تحليل binary - اكتشاف نقاط الضعف التطبيق - حقن مباشر وغيرها ..

يتبع 👇 https://t.co/QwKbbRTa7R

3

259

34

231

17K

abdulbasith1205 retweeted

𝕡𝕨𝕟𝕚𝕖

@0day_ninja

16 days ago

10

28

4

955

abdulbasithk.p @abdulbasith1205

17 days ago

@ismailsntrk7 @Hacker0x01 Congrats 🤝😪

0

1

0

117

abdulbasithk.p @abdulbasith1205

18 days ago

@0x3b33 Any advice in bug bounty hunting 🕷️🕸️?

0

18

abdulbasith1205 retweeted

Bhavuk Jain @bhavukjain1

about 6 years ago

Zero-day in Sign in with Apple - bounty $100k https://t.co/9lGeXcni3K

105

3K

886

368

0

abdulbasithk.p @abdulbasith1205

24 days ago

@Crypto4bailout Alhamdulillah ❤️

0

14

abdulbasith1205 retweeted

shreya @shreyaatwt

26 days ago

one of my fav videos of all time

34

2K

170

916

88K

abdulbasith1205 retweeted

Divyansh Sharma

@divyansh2401

about 1 month ago

Yay, I was awarded a total of $5,500 in bounties on @Hacker0x01! https://t.co/unepjTWUuT Vulnerabilities Found: 1. Privilege Escalation (Trial User → Platform Admin) 1. While reading the site's JavaScript files, I found an API endpoint and noticed it accepted an "author" parameter in the request body. 2. The JS hinted that the "author" value was used to identify who the request belonged to — and that this value needed to be an admin's email for certain actions. 3. I collected 15–20 employee emails through public sources (OSINT). 4. I tested them one by one as the "author" value. One matched a platform admin account, and that request was accepted. 5. Using that admin's email as "author" along with my own account ID, I changed my account "plan" from "trial" to "internal". The request went through, and my role was updated. 6. Root cause: the endpoint was authorizing the request using a value from the request body instead of the role from the user's authenticated session. 2. SSRF → Cloud Metadata Credential Exposure 1. The app had a feature that fetched user-supplied URLs from the server side. 2. Confirmed by pointing it at a public echo service — the response showed a cloud server IP, not mine. The server was making the request. 3. The URL filter blocked the metadata service IP in its standard dotted form, but didn't normalize alternate representations. Converting the same IP to its decimal form bypassed the filter cleanly. 4. From there, the standard two-step metadata flow worked: first request returned a session token, second request used that token to return temporary instance role credentials. 5. Root cause: block-list URL filtering without IP normalization. A single canonicalization step on the resolved address would have caught this. 3. IDOR Exposing 285,000+ Customer Invoices The invoice download endpoint used sequential IDs with no ownership check. Changing the ID returned other customers' invoices. 4. IDOR Enabling Cross-Tenant Audit Log Manipulation A "log move" endpoint trusted client-supplied IDs, which allowed moving log entries across tenant boundaries and tampering with audit history. 5. Unauthenticated Path Traversal A public endpoint accepted file paths without sanitization, allowing partial file reads across the platform with no authentication required. Key lessons: → Never authorize based on request-body fields. Use the session/JWT role. → URL-fetch features need allow-lists, and must normalize alternate IP forms. → Sequential IDs are fine; missing ownership checks are not. → "Unauthenticated" doesn't mean "untrusted input is safe." #bugbounty #securityresearcher #ethicalhacker #cybersecurity #vulnerability #penetrationtesting #securityaudit #digitalsecurity #tech #innovation #hackerone #freelance #freelancer #pentester #ssrf #idor #privilegeescalation #pathtraversal #appsec #infosec #TogetherWeHitHarder #bugbountytips

divyansh2401's tweet photo. Yay, I was awarded a total of $5,500 in bounties on @Hacker0x01! https://t.co/unepjTWUuT

Vulnerabilities Found:

1. Privilege Escalation (Trial User → Platform Admin)
  1. While reading the site's JavaScript files, I found an API endpoint and noticed it accepted an "author" parameter in the request body.
  2. The JS hinted that the "author" value was used to identify who the request belonged to — and that this value needed to be an admin's email for certain actions.
  3. I collected 15–20 employee emails through public sources (OSINT).
  4. I tested them one by one as the "author" value. One matched a platform admin account, and that request was accepted.
  5. Using that admin's email as "author" along with my own account ID, I changed my account "plan" from "trial" to "internal". The request went through, and my role was updated.
  6. Root cause: the endpoint was authorizing the request using a value from the request body instead of the role from the user's authenticated session.

2. SSRF → Cloud Metadata Credential Exposure
  1. The app had a feature that fetched user-supplied URLs from the server side.
  2. Confirmed by pointing it at a public echo service — the response showed a cloud server IP, not mine. The server was making the request.
  3. The URL filter blocked the metadata service IP in its standard dotted form, but didn't normalize alternate representations. Converting the same IP to its decimal form bypassed the filter cleanly.
  4. From there, the standard two-step metadata flow worked: first request returned a session token, second request used that token to return temporary instance role credentials.
  5. Root cause: block-list URL filtering without IP normalization. A single canonicalization step on the resolved address would have caught this.

3. IDOR Exposing 285,000+ Customer Invoices
  The invoice download endpoint used sequential IDs with no ownership check. Changing the ID returned other customers' invoices.

4. IDOR Enabling Cross-Tenant Audit Log Manipulation
  A "log move" endpoint trusted client-supplied IDs, which allowed moving log entries across tenant boundaries and tampering with audit history.

5. Unauthenticated Path Traversal
  A public endpoint accepted file paths without sanitization, allowing partial file reads across the platform with no authentication required.

Key lessons:
→ Never authorize based on request-body fields. Use the session/JWT role.
→ URL-fetch features need allow-lists, and must normalize alternate IP forms.
→ Sequential IDs are fine; missing ownership checks are not.
→ "Unauthenticated" doesn't mean "untrusted input is safe."

#bugbounty #securityresearcher #ethicalhacker #cybersecurity #vulnerability #penetrationtesting #securityaudit #digitalsecurity #tech #innovation #hackerone #freelance #freelancer #pentester #ssrf #idor #privilegeescalation #pathtraversal #appsec #infosec #TogetherWeHitHarder #bugbountytips

15

477

50

323

14K

abdulbasithk.p @abdulbasith1205

about 1 month ago

@Br0k3n_1337 Hunter eid 🫡

0

2

0

67

abdulbasithk.p @abdulbasith1205

about 1 month ago

@lostsec_ Great 👍🏻

0

1

0

121

abdulbasith1205 retweeted

Alisa Esage Шевченко

@alisaesage

3 months ago

Cybersecurity intelligence, March ‘26: Android kernel EoP + Chrome full chain in the wild, two iPhone exploit kits targeting older devices, an AI supply chain exploit in the wild + more patched quietly. Starting to get busy across my entire expertise stack

2

87

9

47

15K

abdulbasith1205 retweeted

Alisa Esage Шевченко

@alisaesage

almost 7 years ago

I have reverse-engineered @VMWare's patch for the vuln in VMWare ESXi that was exploited at @GeekPwn 2018 to take it down for the first time. It's an uninitialized stack variable usage RCE in the host-side code of vmxnet3 network adapter. Binary diff via Workstation 15.0.0/15.0.1

alisaesage's tweet photo. I have reverse-engineered @VMWare's patch for the vuln in VMWare ESXi that was exploited at @GeekPwn 2018 to take it down for the first time. It's an uninitialized stack variable usage RCE in the host-side code of vmxnet3 network adapter. Binary diff via Workstation 15.0.0/15.0.1 https://t.co/3JgMojFlbu

4

309

97

24

0

abdulbasith1205 retweeted

ReverseThatApp @ReverseThatApp

about 6 years ago

my first post on @hackernoon get more reading time than Medium one (100 views vs 1k6) 😂, more to come soon https://t.co/g9iFbkMejR #iOSSecurity #MobileSecurity

0

14

4

3

0