Olivia
Online
Matheus Vrech
@vrechson
CTFs, security, and whatever broke today
Joined February 2019
418 Following
775 Followers
387 Posts
Pinned Tweet
Found a full-blown CSP bypass on the current version of Firefox (69). Not working on the beta version. PoC: https://t.co/WTQppEnh1s<object data="javascript:alert(1)"></object>
#bugbounty
Saiu o Elytron Talks #02!
Fui o host do papo com o @0xTeles e o fepame sobre como o Bug Bounty cria profissionais pra ataques reais. 👇
https://t.co/FFum5wn0zL
Next.js v16.2.5 fixes a bunch of vulnerabilities reported by @HacktronAI.
Patch ASAP, especially if you’re running self-hosted Next.js that SSRF might affect you
CVE-2026-44574: Middleware / Proxy bypass via dynamic route parameter injection
CVE-2026-44578: SSRF in applications using WebSocket upgrades
CVE-2026-44581: XSS in App Router applications using CSP nonces
@caueobici @girorme1 Historias que seu avo nunca lhe contou sobre firebase - @vrechson & @Highustavo
Imagens sao dificeis - Thumbor 0days - @caioluders
SunCodeQL - Resolvendo a Complexidade do Frontend com SAST - m4z4r0p3
m4qu1n4 d0 mund0.ANS - gld
🚨: This is Tatiana Sampaio, a Brazilian scientist who restored movement in six paraplegic patients.
We found a RCE in Google's AI code editor Antigravity - $10000 Bounty
Link to the blog in comments:
I began looking into browser security issues again in 2026 and while reviewing extension permission APIs, I noticed that the default declarativeNetRequest API (which only requires permission to block content on all pages) can be leveraged into a side-channel attack.
This permission ends up allowing an extension to infer the full URL of open tabs without requesting the chrome.tabs permission, and it can also leak the full URL of cross-origin redirects.
Unfortunately, fixing this issue has been deemed unrealistic by Chrome, and the risk has been accepted, so it is worth keeping this in mind when granting content-blocking permissions to browser extensions.
The complete public report can be found at https://t.co/CI8miz1lL4.
Leaking FXAuth Token leading to account takeover ($65,000)
https://t.co/d1jQ26tTjD
Instagram account takeover via Facebook Pixel script abuse ($32,500)
https://t.co/DRjgIa92aa
Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400)
https://t.co/F1hbXk7jNa
🟥 Positive Hack Talks → São Paulo 🇧🇷
Dec 10th, 2025
🗣️ Speakers — submit papers (flights/hotel covered). CFP link in thread 👇
💻 Cybersecurity community — join our most community-driven event.
➡️ https://t.co/dLTF5ZhE7Z
Free · 8 talks · limited spots
#PHTalks
@sanseverini amiga se precisar de ajuda para recuperar o insta posso tentar ver oq ta rolando
🚨 CFP aberto — Bug Bounty Village @ H2HC 2025 🚨
Achou um bug insano, bypass criativo ou tem case real de pentest/bug bounty?
Manda sua talk!
👉 https://t.co/qiinfEVgtH
#H2HC #BugBounty #Call4Papers #HackerCulture
The future looks wild. We’re just getting started 🚀
Personally, I’m grateful to be building this with the greatest team @zeyu1337 @rootxharsh @LiveOverflow @haqpl, @ungrad_engineer, and @ElectrovoltSec team .
Read the full blog here: https://t.co/ZG0fCxRTw6
Securing @gumroad with Hacktron AI
Three months ago, Hacktron was still early. @HacktronAI and @rootxharsh were finding 0-days targeting specific vulnerabilities on OSS software.
Then we ran a full pentest-style scan on a big open-source project. The results were insane. 🧵
Nice to meet with such brilliant team!
Team Hacktron at @defcon! It was great to meet many of you and talk about the future of AI-powered security.
@skaesun eu tbm fiz isso kkkk
depois fiquei meio triste quando comecei o original pq a qualidade da gravação é pior mas o final é mtooooo melhor
We tested a pre-release version of o3 and found that it frequently fabricates actions it never took, and then elaborately justifies these actions when confronted.
We were surprised, so we dug deeper 🔎🧵(1/)
https://t.co/IdBboD7NsP
Last Seen Users on Sotwe
nghiện sex
Seen from Vietnam
کاکولد ایرانی 
ขี้เงี่ยนชอบเย็ดสาวใหญ่แม่หม้าย
CUM ON MY FACE💦
Seen from Germany
Mdavazo
Seen from South Africa
فحل سوداني
Seen from Saudi Arabia
mliwrrn
Seen from Indonesia
Cushkingdom☁️🌥⛅️🌤☀️
Seen from Saudi Arabia
Seductive innocent sis💗
Seen from United States
ONO☺️
Seen from Thailand
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers