Olivia
Online
Phil Winwood
@yppip
All things security - pentester - bug hunter - researcher
Joined August 2011
2K Following
646 Followers
5.9K Posts
Yay, I was awarded a $143,000 bounty on @Hacker0x01! https://t.co/yGeDpoGirS #TogetherWeHitHarder
It was worth waiting for ;)
People are now tricking Meta’s AI support assistant to gain access to other people’s Instagram accounts.
This is exactly why AI should never have the authority to make account recovery decisions.
$2000 for a web cache deception bug. As always I share my methodology 👇
Identifying a deception bug is always easy but exploiting it can be hard due to SameSite restrictions on victims cookie
I bypassed this to steal victim JWT. Read about it here:
🔗 https://t.co/CAxfKAC0eP
Found a 1-click account takeover via postMessage. No phishing, no fake login page, just one click and a full-access token.
Wrote up the full breakdown and also gave the whole site a little revamp while I was at it.
https://t.co/piH3rZg9LN
I made a /goal command for claude code:
https://t.co/7LkZNVbkAO
Figure taught two robots to make a bed together - fully autonomous
Honestly, they’re better at it than most humans
We are back, with a brand new venue!
https://t.co/JPMaBy3Eod
#HackerOne
Important free resource that teaches you how to rotate secrets on lots of different platforms.
Seems we're in the everyone leaking secrets phase of supply chain attacks lately. Keep this handy.
Thanks @trufflesec!
https://t.co/79Pkn4BCsO
🚀 RECOX is open source now.
Built it because every recon tutorial says "install 5 CLI tools" , but most of my bug bounty students start on Chromebooks or phones. RECOX gives them the same recon primitives in a browser. Zero install,
zero signup.
Code → https://t.co/2TgCYeuAaz
Live → https://t.co/N9xpqrlcZe
Star it if it helps ⭐
Every JWT writeup online covers 2–3 attacks and stops.
I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place.
https://t.co/iCSzQ4GjcS
#infosec #appsec #bugbounty #websec #jwt
Chained CSPT into full account takeover using a 2FA bypass technique I hadn't seen used in bug bounty before.
https://t.co/4SHUJbPV68
Agent harnesses aren't the black magic many of y'all seem to think they are. To prove it, I built one.
This 2 hour Stanford lecture will teach you more about how LLMs like ChatGPT & Claude are built than most people working at top AI companies learn in their entire careers.
Bookmark this & give 2 hours today, no matter what. It'll be the most productive thing you do this week.
Veritasium Exposes a Tap To Pay Flaw That Lets a Payment Terminal Steal $10,000 From a Locked iPhone
Been a minute.
I went dark for about 6 weeks on purpose, chasing a time-sensitive opportunity building an autonomous bug-bounty system, and so far, it has paid off: Top 60 on HackerOne over the last 90 days, top 5 in the US.
I've learned a ton in these last few weeks about scaling AI systems. Not sharing everything yet, but maybe soon.
A new Disclosed issue drops tomorrow to catch up on everything I missed. https://t.co/YL3YL96SAA
Read: https://t.co/dKGETzDqyQ
A write-up about an interesting SSRF chain I found earlier this year
https://t.co/RqgSVajnao
You can now find almost every OSINT tool in one place.
Someone compiled a massive repository of tools for penetration testing and information gathering. It’s basically a god mode for information gathering. tracking, digging, analyzing.. it is all here.
100% free to use.
Ok so.. they left their CDN exposed.
If you ping the domain, you get this ip:
151.101.129.49
It turns out this is a https://t.co/wqDjtIZMEy IP . I had never heard of fastly but it looked to be something similar to vercel, so I figured maybe they had custom deployment links like vercel does.
Tried a few different combos and BINGO:
https://t.co/VUGl0CQFJm
This took me to this:
https://t.co/EaQKYxNtOy
That’s their CDN bucket on AWS. They currently have it setup so that any invalid endpoints redirect back to index.html
I went on a hunch and figured that they’d probably already have their production app stored somewhere in the CDN ready for deployment
I used SECLISTs (https://t.co/gafGrACoMC )and ffuf to try out over 20k different combinations on this URL.
After some sleuthing, BINGO!! I found these two files:
> live.html
> .DS_STORE
The important one here that immediately caught my eye was “live.html”. That sounded like a prod deployment.
And sure enough, it was!
This is what the https://t.co/eY5zWkX10Z site will look like on the day the faucet goes live:
https://t.co/vXn9H24Gvj
https://t.co/M7ExI8pQym
It turns out the entire faucet will be revealed to just be a promotion scheme to get you to buy a bitkey and use cash app.
There is no faucet - at least in the sense most were expecting.
Last Seen Users on Sotwe
JS shop asli
Seen from Singapore
°•*⁀ᴹᵉᵃⁿ ᴳᵒᵈᵈᵉˢˢ ᴸᵘⁿᵃ⁀*•°
Seen from United Kingdom
Sofitel Montreal
Seen from United States
موسڪوャ¹🖤
Samsun Genc 
Seen from Turkey
YALAN DÜNYA
Seen from Turkey
مجمد
Seen from Netherlands
horse
Seen from Turkey
Nadya
Seen from Turkey
bokita edits 🔪🐔
Seen from Argentina
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.2M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
87M followers
Taylor Swift
@taylorswift13
80.8M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.8M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.4M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.1M followers