BobDaHacker 🏳️⚧️ | NB<p>🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬</p><p>Technical details:</p><ul><li>Founders Club admin panel: No auth required, all member emails exposed</li><li>POS registration: Form disabled client-side only, API endpoint still functional</li><li>Reservation enumeration: Sequential IDs exposed full customer data</li><li>Full control over customer tabs, payments, and inventory</li><li>Supabase misconfiguration: Public signups triggered automated membership cards</li></ul><p>No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park.</p><p>Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂</p><p>Full Technical Writeup: <a href="https://bobdahacker.com/blog/i-hacked-southpark" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/i-hacked-</span><span class="invisible">southpark</span></a></p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/bugbounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugbounty</span></a> <a href="https://infosec.exchange/tags/responsibleDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>responsibleDisclosure</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/southpark" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>southpark</span></a> <a href="https://infosec.exchange/tags/CasaBonita" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CasaBonita</span></a></p>
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
253active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#vulnerability
4 posts · 3 participants · 2 posts today
BobDaHacker 🏳️⚧️ | NB<p>🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦</p><p>Technical details:</p><ul><li>Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups</li><li>TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO</li><li>GRS panel: Complete authentication bypass, arbitrary HTML injection</li><li>Magicbell API keys/secrets exposed in client-side JS</li><li>Algolia indexes listable with user PII</li><li>CosMc's: Server-side validation missing for coupon redemption</li></ul><p>They fixed it but fired my friend who helped find the OAuth vulnerabilities.</p><p>Full Technical Writeup: <a href="https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/mcdonalds</span><span class="invisible">-security-vulnerabilities</span></a></p><p><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/bugbountry" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bugbountry</span></a> <a href="https://infosec.exchange/tags/responsibledisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>responsibledisclosure</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
Alexandre Dulaunoy<p>Beyond CVEs: Mastering the Landscape with Vulnerability-Lookup is finally online.</p><p>The talk was given at <span class="h-card" translate="no"><a href="https://infosec.exchange/@firstdotorg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>firstdotorg</span></a></span> conference.</p><p><a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> </p><p>📹 Video <a href="https://youtu.be/PS6NuisVxBU?si=KbPbnHWgKM0wxmMR" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">youtu.be/PS6NuisVxBU?si=KbPbnH</span><span class="invisible">WgKM0wxmMR</span></a></p><p>🔗 Online instance <a href="https://vulnerability.circl.lu/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">vulnerability.circl.lu/</span><span class="invisible"></span></a></p><p>🔗 Open source project <a href="https://www.vulnerability-lookup.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">vulnerability-lookup.org/</span><span class="invisible"></span></a></p>
Patrick Wu :neocat_flag_bi:<p><b>One Open-source Project Daily</b><span><br><br>A vulnerability scanner for container <br><br></span><a href="https://github.com/anchore/grype" rel="nofollow noopener" target="_blank">https://github.com/anchore/grype</a><span><br><br></span><a href="https://hatoya.cafe/tags/1ospd" rel="nofollow noopener" target="_blank">#1ospd</a> <a href="https://hatoya.cafe/tags/opensource" rel="nofollow noopener" target="_blank">#opensource</a> <a href="https://hatoya.cafe/tags/docker" rel="nofollow noopener" target="_blank">#docker</a> <a href="https://hatoya.cafe/tags/golang" rel="nofollow noopener" target="_blank">#golang</a> <a href="https://hatoya.cafe/tags/security" rel="nofollow noopener" target="_blank">#security</a> <a href="https://hatoya.cafe/tags/tool" rel="nofollow noopener" target="_blank">#tool</a> <a href="https://hatoya.cafe/tags/containers" rel="nofollow noopener" target="_blank">#containers</a> <a href="https://hatoya.cafe/tags/oci" rel="nofollow noopener" target="_blank">#oci</a> <a href="https://hatoya.cafe/tags/vulnerability" rel="nofollow noopener" target="_blank">#vulnerability</a> <a href="https://hatoya.cafe/tags/vex" rel="nofollow noopener" target="_blank">#vex</a> <a href="https://hatoya.cafe/tags/vulnerabilities" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://hatoya.cafe/tags/containerimage" rel="nofollow noopener" target="_blank">#containerimage</a> <a href="https://hatoya.cafe/tags/cyclonedx" rel="nofollow noopener" target="_blank">#cyclonedx</a> <a href="https://hatoya.cafe/tags/openvex" rel="nofollow noopener" target="_blank">#openvex</a></p>
Alexandre Dulaunoy<p>A vulnerability was identified in NASM Netwide Assember 2.17rc0. This issue affects the function assemble_file of the file nasm.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.</p><p>CVE-2025-8845 (GCVE-0-2025-8845)</p><p><a href="https://infosec.exchange/tags/nasm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nasm</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> </p><p>🔗 <a href="https://vulnerability.circl.lu/vuln/CVE-2025-8845" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">vulnerability.circl.lu/vuln/CV</span><span class="invisible">E-2025-8845</span></a></p>
Dissent Doe :cupofcoffee:<p>If you haven't updated 7-zip recently, update now.</p><p>The flaw, tracked as CVE-2025-55188, affects all versions of 7-Zip prior to the recently released version 25.01 and stems from improper handling of symbolic links during archive extraction.</p><p><a href="https://gbhackers.com/7-zip-vulnerability-3/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gbhackers.com/7-zip-vulnerabil</span><span class="invisible">ity-3/</span></a></p><p><a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/update" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>update</span></a> <a href="https://infosec.exchange/tags/7zip" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>7zip</span></a></p>
Alexandre Dulaunoy<p>Finally a useful magic quadrant</p><p>Thanks to <span class="h-card" translate="no"><a href="https://infosec.exchange/@wendynather" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>wendynather</span></a></span> for the discovery.</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
circl<p>7-Zip before 25.01 does not always properly handle symbolic links during extraction.</p><p>🔗 <a href="https://vulnerability.circl.lu/vuln/CVE-2025-55188" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">vulnerability.circl.lu/vuln/CV</span><span class="invisible">E-2025-55188</span></a></p><p>CVE-2025-55188 - GCVE-0-2025-55188</p><p>Patch <a href="https://github.com/ip7z/7zip/commit/5e96a8279489832924056b1fa82f29d5837c9469" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/ip7z/7zip/commit/5e</span><span class="invisible">96a8279489832924056b1fa82f29d5837c9469</span></a> (and yes the patch references two older CVEs from the previous patching) </p><p><a href="https://social.circl.lu/tags/7zip" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>7zip</span></a> <a href="https://social.circl.lu/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.circl.lu/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://social.circl.lu/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
Stan Stewart (muz4now)<p>Tracking The Toughest of All – Singing Vulnerability <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23inspiration" target="_blank">#inspiration</a> <a class="hashtag" rel="nofollow noopener" href="https://bsky.app/search?q=%23vulnerability" target="_blank">#vulnerability</a><br><br><a href="https://muz4now.com/2025/tracking-the-toughest-of-all-singing-vulnerability" rel="nofollow noopener" target="_blank">Tracking The Toughest of All -...</a></p>
Stan Stewart aka muz4now<p>Tracking The Toughest of All – Singing Vulnerability <a href="https://mastodon.world/tags/inspiration" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>inspiration</span></a> <a href="https://mastodon.world/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://muz4now.com/2025/tracking-the-toughest-of-all-singing-vulnerability" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">muz4now.com/2025/tracking-the-</span><span class="invisible">toughest-of-all-singing-vulnerability</span></a></p>
Bill<p>Portswigger put out the HTTP request smuggling research they've been talking about yesterday at blackhat.</p><p><a href="https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/new-http-requ</span><span class="invisible">est-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/</span></a></p><p><a href="https://infosec.exchange/tags/summercamp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>summercamp</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
BotKit by Fedify :botkit:<p>🔒 <strong>Security Update for BotKit Users</strong></p><p>We've released <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#<span>security</span></a> patch versions <a href="https://github.com/fedify-dev/botkit/releases/tag/0.1.2" rel="nofollow noopener" target="_blank">BotKit 0.1.2</a> and <a href="https://github.com/fedify-dev/botkit/releases/tag/0.2.2" rel="nofollow noopener" target="_blank">0.2.2</a> to address <a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4" rel="nofollow noopener" target="_blank">CVE-2025-54888</a>, a security <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/vulnerability" target="_blank">#<span>vulnerability</span></a> discovered in <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a>. These updates incorporate the latest patched version of Fedify to ensure your bots remain secure.</p><p>We strongly recommend all <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/BotKit" target="_blank">#<span>BotKit</span></a> users update to the latest patch version immediately. Thank you for keeping the <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fediverse" target="_blank">#<span>fediverse</span></a> safe! 🛡️</p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fedidev" target="_blank">#<span>fedidev</span></a></p>
Hollo :hollo:<p>We've released <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#<span>security</span></a> updates for <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Hollo" target="_blank">#<span>Hollo</span></a> (<a href="https://github.com/fedify-dev/hollo/releases/tag/0.4.12" rel="nofollow noopener" target="_blank">0.4.12</a>, <a href="https://github.com/fedify-dev/hollo/releases/tag/0.5.7" rel="nofollow noopener" target="_blank">0.5.7</a>, and <a href="https://github.com/fedify-dev/hollo/releases/tag/0.6.6" rel="nofollow noopener" target="_blank">0.6.6</a>) to address a <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/vulnerability" target="_blank">#<span>vulnerability</span></a> in the underlying <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a> framework. These updates incorporate the latest Fedify security patches that fix <a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4" rel="nofollow noopener" target="_blank">CVE-2025-54888</a>.</p><p>We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.</p><p><strong>Update Instructions:</strong></p><ul>
<li><strong>Railway users</strong>: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”</li><li><strong>Docker users</strong>: Pull the latest image with <code>docker pull ghcr.io/fedify-dev/hollo:latest</code> and restart your containers</li><li><strong>Manual installations</strong>: Run <code>git pull</code> to get the latest code, then <code>pnpm install</code> and restart your service</li>
</ul>
Fedify: an ActivityPub server framework<p>All <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/Fedify" target="_blank">#<span>Fedify</span></a> users must immediately update to the latest patched versions. A <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/critical" target="_blank">#<span>critical</span></a> authentication bypass <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/vulnerability" target="_blank">#<span>vulnerability</span></a> (<a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-6jcc-xgcr-q3h4" rel="nofollow noopener" target="_blank">CVE-2025-54888</a>) has been discovered in Fedify that allows attackers to impersonate any <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/ActivityPub" target="_blank">#<span>ActivityPub</span></a> actor by sending forged activities signed with their own keys.</p><p>This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.</p><p>The following versions contain the <a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/security" target="_blank">#<span>security</span></a> fix: <a href="https://github.com/fedify-dev/fedify/releases/tag/1.3.20" rel="nofollow noopener" target="_blank">1.3.20</a>, <a href="https://github.com/fedify-dev/fedify/releases/tag/1.4.13" rel="nofollow noopener" target="_blank">1.4.13</a>, <a href="https://github.com/fedify-dev/fedify/releases/tag/1.5.5" rel="nofollow noopener" target="_blank">1.5.5</a>, <a href="https://github.com/fedify-dev/fedify/releases/tag/1.6.8" rel="nofollow noopener" target="_blank">1.6.8</a>, <a href="https://github.com/fedify-dev/fedify/releases/tag/1.7.9" rel="nofollow noopener" target="_blank">1.7.9</a>, and <a href="https://github.com/fedify-dev/fedify/releases/tag/1.8.5" rel="nofollow noopener" target="_blank">1.8.5</a>. Users should update immediately using their package manager with commands such as <code>npm update @fedify/fedify</code>, <code>yarn upgrade @fedify/fedify</code>, <code>pnpm update @fedify/fedify</code>, <code>bun update @fedify/fedify</code>, or <code>deno update @fedify/fedify</code>.</p><p>After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.</p><p>The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.</p><p><a class="mention hashtag" rel="nofollow noopener" href="https://hollo.social/tags/fedidev" target="_blank">#<span>fedidev</span></a></p>
BeyondMachines :verified:<p>Team82 Researchers report multiple flaws in Axis Communications CCTV Systems</p><p>Security researchers disclosed four vulnerabilities in Axis Communications surveillance equipment affecting the proprietary Axis.Remoting protocol, with the most critical flaw allowing authenticated remote code execution that could lead to complete system compromise. Over 6,500 servers exposing these systems were discovered on the internet, potentially affecting hundreds of thousands of cameras.</p><p>**If you're using Axis surveillance equipment (Camera Station Pro, Camera Station, or Device Manager), review your systems and the advisories. Make sure the surveillance systems are isolated from the internet, and then plan an upgrade to the latest patched versions (Pro 6.9, Station 5.58, Device Manager 5.32).**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/team82-researchers-report-multiple-flaws-in-axis-communications-cctv-systems-o-i-a-p-2/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/team82-researchers-report-multiple-flaws-in-axis-communications-cctv-systems-o-i-a-p-2/gD2P6Ple2L</span></a></p>
circl<p>Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement.</p><p><a href="https://social.circl.lu/tags/exchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exchange</span></a> <a href="https://social.circl.lu/tags/microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microsoft</span></a> <a href="https://social.circl.lu/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://social.circl.lu/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> </p><p><a href="https://vulnerability.circl.lu/vuln/cve-2025-53786#sightings" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">vulnerability.circl.lu/vuln/cv</span><span class="invisible">e-2025-53786#sightings</span></a></p>
Marcus "MajorLinux" Summers<p>"NOPE!"</p><p>NVIDIA say no to adding backdoors and killswitches in their GPUs </p><p><a href="https://www.gamingonlinux.com/2025/08/nvidia-say-no-to-adding-backdoors-and-killswitches-in-their-gpus/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">gamingonlinux.com/2025/08/nvid</span><span class="invisible">ia-say-no-to-adding-backdoors-and-killswitches-in-their-gpus/</span></a></p><p><a href="https://toot.majorshouse.com/tags/Nvidia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nvidia</span></a> <a href="https://toot.majorshouse.com/tags/Backdoors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Backdoors</span></a> <a href="https://toot.majorshouse.com/tags/Killswitches" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Killswitches</span></a> <a href="https://toot.majorshouse.com/tags/GPU" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GPU</span></a> <a href="https://toot.majorshouse.com/tags/Hardware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hardware</span></a> <a href="https://toot.majorshouse.com/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://toot.majorshouse.com/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://toot.majorshouse.com/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a></p>
BobDaHacker 🏳️⚧️ | NB<p>Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦</p><p>What I found:<br>- Email disclosure via XMPP (username→email)<br>- Auth bypass (email→account takeover, no password)</p><p>History of ignoring researchers:<br>- 2017: First recorded case of someone reporting XMPP email leak.<br>- 2022: Someone else reports XMPP email leak, ignored<br>- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350<br>- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)<br>- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)<br>- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)<br>- July 28: I go public<br>- July 30: Both fixed in 48 hours</p><p>Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.</p><p>News covered it but my blog has the full technical details:<br><a href="https://bobdahacker.com/blog/lovense-still-leaking-user-emails/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/lovense-s</span><span class="invisible">till-leaking-user-emails/</span></a></p><p><a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a> <a href="https://infosec.exchange/tags/ResponsibleDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ResponsibleDisclosure</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/IoT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IoT</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
gcve.eu<p>In the scope of GCVE and <span class="h-card" translate="no"><a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>circl</span></a></span> we couldn't find a practical, publicly available, and accessible document that outlines best practices for vulnerability handling and disclosure.</p><p>So we created a new one, released under an open-source license, to which everyone can freely contribute.</p><p>PDF: <a href="https://gcve.eu/files/bcp/gcve-bcp-02.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gcve.eu/files/bcp/gcve-bcp-02.</span><span class="invisible">pdf</span></a><br>HTML: <a href="https://gcve.eu/bcp/gcve-bcp-02/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">gcve.eu/bcp/gcve-bcp-02/</span><span class="invisible"></span></a><br>Contributing: <a href="https://github.com/gcve-eu/gcve.eu/blob/main/content/bcp/gcve-bcp-02.md" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/gcve-eu/gcve.eu/blo</span><span class="invisible">b/main/content/bcp/gcve-bcp-02.md</span></a></p><p><a href="https://social.circl.lu/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://social.circl.lu/tags/gcve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gcve</span></a> <a href="https://social.circl.lu/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://social.circl.lu/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.circl.lu/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://social.circl.lu/tags/cvd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cvd</span></a></p>
BeyondMachines :verified:<p>Apple relesases security updates patching 95 vulnerabilities across all products</p><p>Apple released security updates addressing 95 vulnerabilities across all major operating systems (iOS, iPadOS, macOS, watchOS, tvOS, and visionOS), including critical remote code execution flaws, privilege escalation issues, sandbox escapes, and memory corruption vulnerabilities that could allow attackers to gain root privileges or cause system termination.</p><p>**If you have any Apple devices (iPhone, iPad, Mac, Apple Watch, Apple TV, or Vision Pro), time to update them. There's a huge pack of patches and critical flaws that will be exploited. Don't delay.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/apple-relesases-security-updates-patching-95-vulnerabilities-across-all-products-p-2-9-s-9/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/apple-relesases-security-updates-patching-95-vulnerabilities-across-all-products-p-2-9-s-9/gD2P6Ple2L</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload