phakeobj @phakeobj

@eternalsakura13 @offensive_con Mad respect, old friend!

DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices by @DarkNavyOrg media.ccc.de/v/39c3-dngerou…

@p0sixninja Google dropped this just a few days after y oh tweet cloud.google.com/blog/topics/th… 🥸

@idofrizler מגניב, קצת כמו לקחת את הפילוסופיה של debian לגבי backport-ים ל-security fixes ולהכליל אותה.

@kn_owled_ge @_arkon let us not forget System Integrity Protection!

This is, hands down, one of the weirdest attributions I've ever seen: "[N/A][415810136] High CVE-2025-4664: Insufficient policy enforcement in Loader. Source: X post from @slonser_ on 2025-05-05" 👇

slonser @slonser_

a year ago

Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->

21 188 1K 275K 862

Jailbreak and kernel debugging is coming to new iPhones! (Apple A12-A16 SoC’s < iOS 16.6)

Full Chain Baseband Exploits. Details of the baseband and baseband-to-AP pivot vulnerabilities, exploitable for RCE, chained together at the same time ▶️Part 1: labs.taszk.io/articles/post/… ▶️Part 2:labs.taszk.io/articles/post/… ▶️Part 3: labs.taszk.io/articles/post/… @TaszkSecLabs @kutyacica

This tweet reminded me of a time when I was hacking on Apple's bug bounty program. I found, of all things, a base64 encoded Harry Potter quote on an internal iCloud account debug and administration page. This is the first time I'm sharing this, as more than 90 days have passed since the vulnerability was fixed. When Apple introduced iCloud+, they added a feature where you could add custom email domains to your account as secondary emails. As with all web hacking attempts, I tried sneaking in a blind XSS payload in my custom email that would pass the (sometimes hard to get right) email RegEx. After a while, I found a trick! I was able to add a secondary email with a smuggled blind XSS payload to my Apple account with the following payload: sam+'>