![IntCyberDigest's tweet photo. 🚨 SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.](https://pbs.twimg.com/media/HG7BaicacAASElL.jpg)
Olivia
Online
Luciano Castillo
@luccasveg
Obsessed w/ the future of AI
— Building / 🦀
— ex. Design/Product @StarAtlas @0xSequence @Shopify @JetCooper
Toronto, Ontario
Joined November 2008
503 Following
2.6K Followers
714 Posts
Pinned Tweet
Introducing CRABWISE 🦀 Build trust with your agents and set rules they can't break.
Local-first agent monitoring, audit trail, and policy enforcement with multi-agent, multi-provider support
→ live agent monitoring
→ local policy enforcement (commandments)
→ a hash-chained audit trail
→ terminal UIs for status, watch, and audit
→ support for OpenClaw, Claude Code, Codex CLI (more to come)
+ pairs nicely with Crabwalk🦀
Follow me @luccasveg to stay updated + RT!
@suekhim Science
every forecast had this quarter pegged as the rebound. ottawa projected +1.4%. rbc and td both said +1.7%. q4 was the dip, q1 was supposed to be the recovery.
we got roughly zero growth
yes, this is a technical recession but
the longer pattern is what really matters and what concerns me most
real gdp per person grew 0.6% in all of 2025. it fell in 2024. it fell in 2023.
we haven’t become richer per person in years, and it’s crazy to me that we keep acting surprised when our growth is stalled
we have fundamental productivity and investment problems that won’t fix themselves
I will sound like I’m beating a dead horse here, but worth repeating again… we know what we need to do to fix this:
1. make capital gains and corporate tax rates at least as good with the US, if not materially better. across all industries.
2. open up protected markets to competition (telecoms, finance, dairy, transportation etc)
3. rapidly reduce bureaucratic red tape and slow process across the board, not just for favoured projects or sectors
and finally, let’s all remind ourselves that we can just do things. every Canadian can be part of fixing this. we can collectively hustle - aim high
Canada can be the richest country in the world, if we choose to be
ok this one is my favourite so far
Who to follow
Emilie Noel
@emilie_noel
Paul Pritchard
@paulpritchard
Designer, dad, hockey and BBQ addict. Founder @ArchetypeThemes, acquired 2021. Previously @Shopify
Gaurav Chande
@gmchande
building AI creative tools for families · writing · ex-@Shopify
self-taught programmer · girl dad · investor
formerly @gauravmc
This was my jam. null-sec
Exclusive: Google DeepMind will train its AI technology on EVE Online after Google took a multi-million-dollar stake in the sci-fi MMORPG's developer.
EVE Online is famous for players' corporate espionage, economic maneuvering and politicking. https://t.co/5P6nWZqIjL
Shopify is the all-in-one commerce platform powering millions of businesses worldwide
Thank you to the @Shopify team for building their own official Hermes Agent skill enabling your agent to manage products, orders, inventory, and fulfillments from any channel.
If Washington was a 1980s Scarface movie
I developed this strange reflexive habbit of speaking what I type while prompting AI... instead of just using my TTS 🧠
Too many features anyway. Something had to give.
🚨 SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.
![IntCyberDigest's tweet photo. 🚨 SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.](https://pbs.twimg.com/media/HG7DMN3X0AAflfN.jpg)
@garrytan Check out Crabwise Garry
Introducing CRABWISE 🦀 Build trust with your agents and set rules they can't break.
Local-first agent monitoring, audit trail, and policy enforcement with multi-agent, multi-provider support
→ live agent monitoring
→ local policy enforcement (commandments)
→ a hash-chained audit trail
→ terminal UIs for status, watch, and audit
→ support for OpenClaw, Claude Code, Codex CLI (more to come)
+ pairs nicely with Crabwalk🦀
Follow me @luccasveg to stay updated + RT!
the problem with issue tracking software is that it solves a human want not an agent need
Introducing CRABWISE 🦀 Build trust with your agents and set rules they can't break.
Local-first agent monitoring, audit trail, and policy enforcement with multi-agent, multi-provider support
→ live agent monitoring
→ local policy enforcement (commandments)
→ a hash-chained audit trail
→ terminal UIs for status, watch, and audit
→ support for OpenClaw, Claude Code, Codex CLI (more to come)
+ pairs nicely with Crabwalk🦀
Follow me @luccasveg to stay updated + RT!
Some of the best advice you’ll ever hear
Stop taking advice from people who've never built anything. If they haven't put something on the line, their opinion on your risk isn't worth hearing.
The people who judge the attempt are never the ones making one.
Stop taking advice from people who've never built anything. If they haven't put something on the line, their opinion on your risk isn't worth hearing.
The people who judge the attempt are never the ones making one.
@clairevo Everyone has had access to high quality free and paid design systems made by talented design designers, pre-ai.
There’s no reason to start from scratch with AI design tools.
Ok wow, we’ve made it. Bootstrapped shows/movies with more views than Netflix incoming…
Sub-agents in (latent) space!
We’ve been working on a side project.
As far as I know, this is the first massively multiplayer, completely LLM-driven game. Come play Gradient Bang with us. See if you can catch me on the leaderboard.
This whole thing started because I wanted to explore a bunch of things I’m currently obsessed with, in an application of non-trivial size, that felt both new and old at the same time.
So … a retro-style space trading game built entirely around interacting with and managing multiple LLMs. Factorio, but instead of clicking, you cajole your ship AI into tasking other AIs to do things for you.
Some of the things we’ve been thinking about as we hack on Gradient Bang:
- Sub-agent orchestration
- Partial context sharing between multiple LLM inference loops
- Managing very long contexts, and episodic memory across user sessions
- World events and large volumes of structured data input as part of human/agent conversations
- Dynamic user interfaces, driven/created on the fly by LLMs
- And, of course, voice as primary input
If you’ve been building coding harnesses, or writing Open Claw agents, or doing pretty much anything that pushes the boundaries of AI-native development these days, you’re probably thinking about these things too!
This is all built with @pipecat_ai, the back end is @supabase, the React front end is deployed to @vercel, and all the code is open source.
Last Seen Users on Sotwe
🎀 𝒯𝒽𝑒 𝐹𝑒𝓂𝒷♡𝓎 𝐹𝒾𝒹𝑒𝓁 🎀
Seen from United States
AŞIKLAR MEKANI
Seen from Turkey
Peminat gadis chubby.
Seen from Malaysia
🪸•𝕄𝔸ℝ𝕆•🪸
Seen from United States
فحل اليبي
Sexy🏳️⚧️Trans🏳️⚧️Women
Seen from Saudi Arabia
ONLY LOPEZ BRO
Seen from United Kingdom
Mr X
Seen from Saudi Arabia
Marcos__njr
Seen from Belgium
Brad
Seen from Pakistan
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers
✨
⭐
💫