Welcome to 2026!

While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we’re back from Christmas and idle hands, idle minds, yada yada.

In December, we were alerted to a vulnerability in SmarterTools’…

Arista NG Firewalls: researchers confirm real-world RCE risk and incomplete patches. Learn impact, affected setups, and mitigation steps.

Found SSRF and WebSocket Hijacking vulnerabilities in Mailpit. Here's how responsible disclosure should work with zero ego and fast fixes.

Droid LLM Hunter is a tool to scan for vulnerabilities in Android applications using Large Language Models (LLMs). - GitHub - roomkangali/droid-llm-hunter: Droid LLM Hunter is a tool to scan for ...

Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends (Codex, Gemini, Ollama, ...). - six2dez/burp-mcp-agents

Wiz Research discovered CodeBreach, a critical vulnerability that risked the AWS Console supply chain. Learn how to secure your AWS CodeBuild pipelines.

Introduction

Introduction Facebook’s payments and billing flows rely heavily on third-party financial service providers. To facilitate bank-based payments, Facebook embeds external services inside privileged Facebook pages and allows cross-window communication between…

Introduction Facebook relies on long-lived device identifiers to reduce friction for returning users and to distinguish legitimate activity from suspicious logins. Over time, devices that repeatedly authenticate to the same account are treated as trusted…

Introduction Facebook and Instagram accounts are deeply integrated through Accounts Center, allowing users to link identities, share authentication methods, and manage security settings across platforms.

Introduction This write-up consolidates several XS-Leak issues discovered across Meta-owned platforms, including Facebook, Workplace, Meta for Work, and internal Meta surfaces.

Introduction Meta’s web ecosystem relies on cross-window messaging between first-party websites. In many cases, the only security control enforced is an origin check validating that messages originate from facebook.com or its subdomains.

Introduction FXAuth is Meta’s shared authentication system used across Facebook, Instagram, and Meta (Horizon / VR). It is used by Accounts Center for account linking, re-authentication, and sensitive action confirmation.

First bug bounty post! How a cropping photo can lead to AWS takeover.

Discover how a Cloudflare WAF bypass in /.well-known/acme-challenge/ exposed origins, its impact, and the fix. A must-read for security pros.

Home About Posts