Zero-day in Sign in with Apple - bounty $100k bhavukjain.com/blog/2020/05/3…

Youssef is among the most talented people in security I have ever met, hit him up if you have an internship position open.

Wife: What are you... Looking at..? Me: Infosec Twitter. Wife: 🤔

Found this picture from 2019 during h1-604 with the entire YES team. Rocked it back then, still do! Philippe Harewood Josip Franjković Dzmitry Lukyanenko

More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers ysamm.com/?p=708

We are proud to publish the process we're currently using to find Log4j-related vulnerabilities! Many of the building blocks we're using here were created by remarkable people from the community. Thanks, everyone! github.com/trickest/log4j

github.com/trickest/inven… Asset Inventory of public bug bounty programs 🏃‍♂️ help bug bounty hunters get up and running as quickly as possible. 👀 give security teams better visibility into their assets. ⛈️ reduce the load and noise that some programs face from automated tools.

React debug.keystore key was trusted by Meta(Facebook) which caused to Instagram account takeover by malicious apps. More information -> vulnano.com/2022/07/react-…

Instagram App Access Token philippeharewood.com/instagram-app-…

We are hosting an (unofficial) party today for all Facebook bug bounty hunters and employees at Cosmopolitan, ping me, Philippe Harewood or Youssef Sammouda (sam0) for details.

ATO of FB/OC accounts after stealing access_tokens ($44,250) ysamm.com/?p=777 DOM-XSS in Instant Games due to improper verifications ($62,500?) ysamm.com/?p=779 ATO in Canvas Games due to weak cross window message Origin validations ($62,500) ysamm.com/?p=783

I found a vulnerability on an Indian Government website which allowed me to access Official Government docs of Indians with just their name. These vulnerabilities were fixed on the 25th of Jan, 2023. This has got to be my most impactful find yet! blog.robinjust.in/gov-in/2023/02…

I'm thrilled to announce "Smashing the State Machine: the True Potential of Web Race Conditions" will premiere at Black Hat' #BHUSA this August! Looking forward to sharing some exploits that blew my mind! blackhat.com/us-23/briefing…

Becoming a pro in finding client-side bugs is simple. Not easy, but simple. 1. Go through a JS tutorial and understand the basics. 2. Ready everything on this blog 8x until you understand it: ysamm.com 3. Read JS for Hackers by Gareth Heyes \u2028 4x Then go hack stuff

We've just published 'Smashing the state machine: the true potential of web race conditions' by James Kettle! Dive in to arm yourself with novel techniques & tooling, and help reshape this attack class: portswigger.net/research/smash…

🚀 Big News! Trickest launches Community Edition 🌐 with Self-Hosted Execution, welcomes cybersecurity guru Ben Sadeghipour to the team, and introduces 24/7 open access! Explore state-of-the-art security orchestration. Made for bug bounty hunters, educators & researchers. More info: