Your firewall sees Spotify traffic.
It may not see a command channel.
Came across SpotifyC2, a Windows security research PoC that uses:
- Spotify playlist titles to deliver commands
- A local client to execute them
- Telegram to return the output
No traditional C2 server.
No obviously malicious infrastructure.
Just trusted cloud services being used in ways defenders may not expect.
A useful reminder: allowlisting a domain does not mean the activity behind it is safe.
Interesting research for anyone working in threat detection, EDR, network security, or cloud abuse detection.
Tool: https://t.co/cknPN7q7BY
‼️ A 16-year-old Linux KVM vulnerability called Januscape (CVE-2026-53359) lets a root user inside a guest VM escape to the host on Intel and AMD x86 systems, and a proof of concept that crashes hosts is already public.
Canonical says patched Ubuntu kernels are still pending for all releases and recommends disabling nested virtualization in the meantime.
Once you learn how to shop directly from China, E.g Temù or shien your wardrobe changes completely. Call me cheap I don't care I ain't rich, I don't do fraud.😭
It's knowing what to search for.
Here's my style after making plenty of mistakes.
1. T-shirts:
Skip 100% polyester unless you're buying gym wear.
Instead, search:
• 100% Cotton
• Combed Cotton
• Heavyweight Cotton
• 240-300 GSM Cotton
• Premium Cotton
• Mercerized Cotton
The heavier the GSM, the thicker and more premium the shirt usually feels.
2. Jeans:
Denim Jeans
Temu is surprisingly good for denim if you know what to search.
Search:
• Denim Jeans
• Cotton Denim
• Raw Denim
• Selvedge Denim (if available)
• 98% Cotton + 2% Elastane
• 99% Cotton
Avoid jeans with high polyester content. The more cotton, the better they'll age and feel.
3. Body-hug clothing:
Search:
• Ribbed Knit
• Modal
• Viscose Blend
• Cotton-Spandex Blend
They hold their shape much better than cheap polyester.
4. Hoodies
Search:
• 400 GSM
• French Terry
• Cotton Fleece
• Heavyweight Hoodie
5. Chains
Search:
• 316L Stainless Steel
• Titanium Steel
• PVD Gold Plated
• Vacuum Plated
These are far more resistant to fading than ordinary fashion jewelry.
6. Earrings
Search:
• 925 Sterling Silver
• 316L Stainless Steel
• Hypoallergenic
• Moissanite (if you're buying stones)
7. Scarves
Search:
• Mulberry Silk
• Silk Blend
• Cashmere Blend
• Wool Blend
• Viscose
Avoid the shiny, thin polyester scarves if you're after a premium look.
8. Loafers
Search:
• Genuine Leather
• Cow Leather
• Full Grain Leather (rare but worth looking for)
• Rubber Outsole
9. Sneakers
Search:
• Rubber Outsole
• EVA Midsole
• Breathable Mesh
• Leather Upper
• Stitched Sole
Pictures lie a lot
The description usually tells the truth.
Here's how I shop:
1. Read the material composition before anything else.
2. Sort by Most Orders or Best Selling, not cheapest.
3. Only buy products with lots of reviews or pictures or even better when a Nigerian has purchased it before they always tell the truth.
4. Read the 1-star reviews first. They'll tell you what the seller won't.
5. Look at customer photos, not the product photos.
6. Check the weight of the product. Better quality clothing is often heavier.
7. Read the size chart. Don't assume your Nigerian size matches.
8. If the title has words like "luxury," "premium," or "designer" but the material is 100% polyester, not everything but still move on.
Your best friend isn't the product picture.
It's the material, the reviews, and the customer photos.
That's how you separate the gems from the junk.
I hope this help.
Things are to expensive for a country this poor.
So here's the gist.
The Pharaoh in Aso rock increased international passport fees from 50k to 100k last year.
He has increased tertiary institutions schools by over 300% since 2024.
Now he has taken WAEC and NECO from 27,000 to 50,000
He also removed general electricity subsidy and cooking gas went from 700 to 2000 within 2 years.
So tell me exactly, you APC b*stards the benefit of supporting Tinubu?
I just learned that under Ghana’s Free Senior High School policy, the government pays the WASSCE registration fees for every student in public schools.
Then I looked at Nigeria, where WAEC and NECO fees have just increased.
I’m struggling to understand the logic.
Nigeria has one of the largest populations of out-of-school children in the world.
Thousands of children drop out every year because their families simply cannot keep up with the cost of education.
Education is under attack in Nigeria and we have to fight back.
Dutch intelligence agencies got caught training AI on citizen data they weren't supposed to have.
the CTIVD, the Netherlands' official intelligence oversight body, published a report finding that AIVD and MIVD staff accessed and retained massive bulk datasets in ways that violate Dutch law.
names. phone numbers. location data. social media. communication content. millions of entries. some from government sources. some commercially purchased. some stolen by criminals and bought on the dark web.
and then Bits of Freedom, the Dutch digital rights organization, flagged something buried in the report: the agencies appear to be training their own AI models on this data.
this is not the first time.
in 2020, the same watchdog found the same agencies had retained citizen data far beyond legal limits. after complaints, they were ordered to delete it.
six years later: same report. same finding. same agencies.
but now with AI in the loop.
the data that was illegally retained is now reportedly being used to train models that will make future surveillance faster, more accurate, and more autonomous.
you cannot opt out. Unlike commercial AI companies, there is no settings menu. no privacy center. no right to delete that you can actually exercise.
Bits of Freedom put it directly:
"They seem to be buying data from criminal data breaches. aren't they supposed to be protecting us from those?"
After finding 250+ BAC & logic bugs, I recorded a video on how to dig deeper and unlock hidden functions to find real bugs.
For beginners struggling to find real bugs or build a methodology.
Link in the first comment 👇
#BugBounty#Hacking#bugbountytips
JUST IN: Femi Gbajabiamila reportedly forged a law, used it to collect ₦54bilion from the Nigerian Upstream Petroleum Regulatory Commission (NUPRC), claiming it was an order from Pres. Tinubu. Bayo Onanuga backs him.
He allegedly demanded 4% of NUPRC’s revenue, to be split into two. 2.5% and 1.5%, the latter will be for “upgrading of crude oil and gas metering and transparency systems” — this doesn’t exist in this context. It was his way of illegally collecting the money to himself.
Gbaja assumed office as Chief of Staff in June 2023. The incident occurred in July 2023, just weeks after Bola Ahmed Tinubu was sworn in.
Bayo Onanuga insists the money was not illegal and that it was released under a lawful order from the President. Which is concerning, because the President does not have the legal authority to issue such orders.
Apparently, the Presidential Chief of Staff also reached out to FIRS, NIMASA and Nigerian Customs with similar tactics.
People’s Gazette exclusively reports. https://t.co/f7xgICk95a
Follow @TrendingEx for dailies..
"For me, I would say IGCSE Mathematics is easier than WAEC Mathematics." — Tolulope Israel Adekimi.
Following his triumph as the world's top performer in Cambridge IGCSE Mathematics, the Year 12 student outlines how decoding real-world scenarios makes the international paper more approachable than its domestic counterpart (WAEC).
#CTVTweets
It is highly interesting and deeply ironic that Nigeria is currently being paraded as having the "world's best-performing stock market."
To put statistical illusion into clear mathematical perspective, South Korea comfortably has over 200 publicly traded companies with an individual market capitalization exceeding $1 billion USD. In stark contrast, the total number of companies on the Nigerian Stock Exchange with a market cap exceeding that same $1 billion mark sits at a measly, fluctuating 11 to 18. Furthermore, the South Korean Stock Exchange is home to over 2,500 listed companies, whereas the entire Nigerian stock exchange is struggling to maintain even 150. To make matters infinitely worse, the annual revenue of just one single South Korean conglomerate, Samsung, comfortably exceeds the entire, devalued annual Gross Domestic Product (GDP) of the Federal Republic of Nigeria.
So, it is obviously completely insane and deeply delusional to imagine that Nigeria is genuinely outperforming the rest of humanity in its actual economic output, industrial productivity, or stock market indices. Nigeria is currently the undisputed poverty capital of the world, where small businesses are collapsing by the dozens every single day. So that begs the question: what does this glowing market report actually mean for the ordinary people of Nigeria?
Well, for one, if a struggling, debt-ridden developing nation suddenly starts to heavily outperform advanced, highly industrialized nations on its stock exchange, it is actually a massive, flashing red indicator that the country in question is facing a severe and monumental hyperinflation. Nigeria is currently experiencing historic, record-breaking inflation, so this stock market boom is merely an indicator that wealthy oligarchs, institutional investors, and local investment banks have smartly recognized that if they hold their cash in standard bank accounts during this highly volatile period, they will lose their purchasing power every single day. Since they cannot easily access scarce foreign currencies like US dollars or Euros due to strict government currency controls, they desperately dump their fast-depleting Naira into solid, tangible local stocks like Dangote Cement, BUA Group, or MTN Nigeria just to preserve their wealth.
So, this triumphant news report that we are passionately commanded to celebrate is actually a terrifying warning sign that Nigeria is experiencing severe, runaway inflation. The local elites, corporate cartels, and bank directors are frantically tripping over themselves to buy blue-chip local stocks strictly to hedge against currency collapse, and this sudden, desperate surge in local demand has artificially driven up the prices of these shares to such a disproportionate, heavily padded percentage that on paper, it looks much more profitable to invest in the Nigerian stock market than in the highly productive, technologically advanced South Korean stock exchange.
Another major reason for this artificial stock market spike is the aggressive, reckless increase in interest rates by the Central Bank of Nigeria on behalf of the IMF and the World Bank. While this brutal rate hike has successfully collapsed thousands of local manufacturing businesses because commercial banks are now charging as high as 40% interest on business loans, it has also temporarily attracted a massive influx of volatile "hot money" from foreign speculators who are lending money to the Nigerian government by purchasing short-term treasury bills and sovereign bonds just to greedily exploit these high yields.
It is crucially important to historically emphasize that Nigeria is absolutely not the only developing country to be declared the "best-performing stock market in history." Mexico proudly achieved this exact same fraudulent title in the run-up to 1994, and it ended up almost collapsing their entire national economy into absolute oblivion. At the time, the Mexican government, acting on the strict advice of the World Bank, aggressively increased interest rates and adopted painful Structural Adjustment Programmes that triggered massive hyperinflation across the country. This temporarily, artificially increased their foreign reserves as yield-hungry international speculators dived in to exploit these high interest rates, causing their local real estate markets and stock exchanges to explode into a virtual goldmine for foreign investors. But this artificial boom did not even last for a few years. The moment the United States Federal Reserve increased its own interest rates, international investors panicked, liquidated their assets overnight, and pulled their hot money completely out of Mexico. This massive, sudden capital flight almost collapsed the Mexican Peso, forcing their desperate government to raise domestic interest rates to an astronomical 70%, but even this extreme measure was not enough to save the country from descending into total state failure. This was the exact moment Mexico was forced to accept a humiliating, sovereignty-destroying bailout from the IMF and the United States totaling a massive $57 billion. Exactly $20 billion of that came directly from the US treasury, but it came with the highly insulting, neocolonial condition that all revenues from the global sales of Mexican state-owned oil must be deposited directly into the Federal Reserve Bank in New York City as collateral to secure the debt, while the IMF forced even more brutal, structural adjustment programs on Mexico that the country has still not fully recovered from even to this very day.
So, while this stock market boom is currently being heavily marketed as another monumental, ground-breaking macroeconomic achievement by the Tinubu Administration, it is in reality extremely dangerous, deceptive, and reckless. Not only does it completely fail to reflect the actual, material reality on the ground, which is that Nigeria is currently the bleeding poverty capital of the world, but this exact, artificial economic bubble has the direct, terrifying potential to completely collapse the Nigerian economy, trigger massive capital flight, and permanently reduce the country to a subservient, bankrupt puppet state run entirely by the harsh austerity measures, economic dictates, and financial chains of boardroom terror organizations like the IMF and the World Bank.
Ovie Okpako-Onyokoko from Port Harcourt.
Currently the world best in Grade 11 mathematics and third world best in coding by codementum at the ISTEM Olympiad in Rome.
Academic Excellence 🔥🔥🔥
"I don't want to say one is easier, but IGCSE is a little bit easier to understand." — Akota-Chika Serena.
The Nigerian teenager, who achieved the highest score globally in Cambridge IGCSE English, explains how the exam structure compares to WAEC, noting that WAEC requires more memorisation of outside knowledge.
#CTVMorningBrief
BREAKING: Nigerian students delivered a strong performance at the 2026 TeenEagle Global Finals held in the United Kingdom, gaining international acclaim for their academic excellence and communication skills.
• Chioma Ezedimbu: Silver Medal in Productive Skills and Bronze Medal in Receptive Skills, showcasing outstanding abilities in writing, persuasive speaking, spelling, and knowledge-based events.
• Amarachi Mitchell Orji: Gold Medal in Productive Skills and Bronze Medal in Receptive Skills.
• Ugwu Kassandra Chimziterem: Gold Medals in both Receptive Skills and Productive Skills.
The competition brought together students from around the world to test their English language proficiency, critical thinking, public speaking, and academic abilities, while fostering cultural exchange and global collaboration.
History maker! 🇳🇬🏆
At 5, Aisosa Agbon-Ifo became Nigeria's youngest STEM Olympiad gold medalist. Now at 6, he has secured back-to-back victories by winning the 2026 Grade 2 category.
Congratulations to the young champion from Banana Island International School! 👏🧮
The children of Gonzaga Jesuit college Okija actually won a total of 25 Awards at the STEM Olympiad in Rome. They won 10 Gold, 3 Silver, 9 Bronzes, & (three Honorable mentions).
WOW! WOW! WOW! 🤩💪👏👏
WOW!!! WOW!!! WOW!!!
Israel Tolulope Adekimi is world's top performer in Cambridge IGCSE Mathematics. He said that IGCSE Math is easier than WAEC Mathematics.
Nigerian children are brilliant. We are slowly replacing Olodo Uprising with Intellectualism.
WELL DONE TOLU, WELL DONE! 🤩💪👏👏
"Whatever brought you here today has placed good fortune on your path."
— Governor Alex Otti tells Magnus Emenuga, a young inventor building a mobile phone from scratch in Aba, Abia State, which he says can communicate without a SIM card, after meeting him and expressing interest in learning more about the project.
1/
One of my favorite bug bounty findings Mass assignment in Rails feature that lets you initialize database and esc priv to admin TestCenterAdmin records using a hash of parameters, like https://t.co/hyCQfFaEA5(params[:user]). While highly convenient, it can lead to severe security vulnerabilities if untrusted form data updates sensitive model attributes (like admin or account_balance)
It started with one question:
“What can a newly registered organization actually do before it’s approved?”
And that question broke the entire trust model.
🧵
2/
The application had a straightforward onboarding workflow:
Register → Upload documents → Wait for approval → Become operational
Pretty standard.
At least, that’s what the UI wanted me to believe.
3/
I registered a brand-new organization using my own controlled email and completed the normal password setup.
After logging in, something immediately caught my attention.
My account had already been assigned a legitimate:
TestCenterAdmin
No JWT tampering.
No forged session.
No role injection.
The application gave it to me.
4/
At the same time, the organization itself was still marked:
pending
That single inconsistency became the entire investigation.
The database said:
“We don’t trust this organization yet.”
The authorization layer said:
“Welcome, administrator.”
Beautiful.
5/
Most people would test whether they could inject an admin role:
{ "role": "TestCenterAdmin" }
I didn’t need to.
The role was real.
The session was real.
The only thing missing was approval.
So the real question became:
Does the backend check the role only, or does it also check the organization’s business state?
6/
While mapping the application, I reached the branch-creation feature.
Then I saw this request structure:
center_branch_admins_attributes[][first_name] center_branch_admins_attributes[][last_name] center_branch_admins_attributes[][email]
The Rails smell was immediate.
Nested attributes.
7/
In Ruby on Rails, request parameters like:
something_attributes[][field]
often indicate a relationship handled through:
accepts_nested_attributes_for
Meaning one request may create the parent object and its associated child records together.
In this case:
Create branch + Create branch administrator
One request. Multiple database objects.
8/
Conceptually, the backend could resemble:
class CenterBranch < ApplicationRecord has_many :center_branch_admins accepts_nested_attributes_for :center_branch_admins end
With permitted parameters similar to:
params.require(:center_branch).permit( :name, :iban, center_branch_admins_attributes: [ :first_name, :last_name, :email ] )
Very Rails.
Very convenient.
And very interesting from a security perspective.
9/
Whenever I see nested [] parameters in Rails, I immediately think about mass assignment:
Can I inject an ID? Can I assign a foreign user? Can I modify the role? Can I set approval status? Can I overwrite protected attributes?
So naturally, I tested the surrounding parameter boundary.
Not randomly.
Surgically.
10/
I tried variations involving protected fields, approval state, foreign identifiers, and nested administrator attributes.
Most of them were rejected or ignored.
So this wasn’t the classic:
“Add role=admin and become root.”
Strong Parameters appeared to be filtering the obvious mass-assignment attacks correctly.
But that didn’t make the flow secure.
11/
The dangerous part was what the application already allowed through the legitimate parameter set.
I submitted the normal branch-creation request while the parent organization was still pending.
No hidden parameter.
No parser trick.
No exploit-looking payload.
Just the intended form.
The server accepted it.
12/
The application created:
A new child branch + A nested branch-administrator record
under an organization that had never been approved.
That’s where the Rails nested attributes became the perfect enabler.
The application wasn’t just creating business data.
It was creating a new identity.
13/
Then I activated the nested administrator through the standard password workflow:
Request password reset → Receive controlled email → Verify token → Set password → Log in
Login succeeded.
The account returned a legitimate role:
CenterBranchAdmin
So this wasn’t some dead record sitting in the database.
It was a real administrator account.
14/
At that point, the chain looked like this:
Public registration → Pending organization → Legitimate TestCenterAdmin → Rails nested branch creation → Legitimate CenterBranchAdmin → Protected authenticated access
The organization was still pending throughout the process.
Approval had become decoration.
15/
This is why calling the issue only “mass assignment” would be incomplete.
The nested *_attributes[] structure looked like the entry point.
But the deeper vulnerability was missing business-state authorization.
The application appeared to ask:
user.test_center_admin?
Instead of:
user.test_center_admin? && user.test_center.approved?
One missing condition.
A complete trust-boundary failure.
16/
Strong Parameters can answer:
“Which attributes may this request assign?”
They cannot answer:
“Should this pending organization be allowed to perform this operation at all?”
That is not a parameter-filtering problem.
That is an authorization and business-logic problem.
And those are usually much more fun.
17/
The best part?
I never needed to force the application into an impossible state.
I simply connected two states that the developers assumed would never exist together:
Valid administrator role + Pending organization
Both values were legitimate.
Their combination was not.
18/
During one creation attempt, the server returned:
HTTP 529
It looked like failure.
But I checked the state afterward.
The branch existed.
The administrator existed.
The transaction had already committed.
The API said “error.”
The database said “done.”
Always verify state after a 5xx.
19/
I also tested the deletion boundary.
The newly created CenterBranchAdmin could not delete the branch.
Correctly denied.
The parent TestCenterAdmin could delete its own controlled branch.
A foreign controlled organization could not.
So no, this was not arbitrary branch deletion or a cross-tenant IDOR.
I don’t need to exaggerate impact when the real bug is already clean.
20/
The proven impact was:
• Create branches before approval • Provision real administrator identities • Activate those identities normally • Authenticate as those administrators • Access protected branch resources • Manage owned branch structure while pending
All before the organization passed review.
21/
This finding is a perfect example of why I don’t only hunt payloads.
Payloads are easy to screenshot.
Broken assumptions are where the serious bugs live.
Especially around:
pending invited suspended disabled unverified under review
Every role should be tested in every lifecycle state.
22/
The takeaway:
A valid role does not mean the user is in a valid business state.
And when I see Rails parameters shaped like:
model_attributes[][field]
I don’t just ask what I can mass assign.
I ask what objects, identities, and permissions the framework will quietly create for me.
Sometimes the most powerful payload is not SQL, JavaScript, or Ruby.
Sometimes it’s simply:
status = pending
:)
#BugBounty #RubyOnRails