Starship breaking up ! Wild. https://t.co/z0XrdEzKsv
Save X Posts
Keep your favorite X posts safe and accessible in a minimalist, user-friendly interface
Recent Posts
🔐Secrets no one will share with you - Here's a technique that might grant you access to takeover other users' accounts using "Login with Facebook": Are you working on a target site that supports "Login with Facebook"? Disable email sharing during Facebook login and be ready for unusual design flows that could enable you to take over other users' accounts. Here's how to disable email sharing when using "Login with Facebook": 1️⃣ Log in with Facebook on any app. 2️⃣ Click "Edit Access." 3️⃣ Uncheck the email address checkbox. 4️⃣ Click Continue. Here are some scenarios of account takeovers I've reported based on different target app behaviors: Account Takeover via Linking Facebook Flow: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site asked to enter an email to link my FB account as no email was shared from FB. Entered victim@example.com, a confirmation link was sent to the victim's email to bind the account. 3️⃣ Repeated the same steps on the target site using the same FB account, this time choose to link attacker@example.com on target site – received the same link as step (2) on the attacker controlled email! 4️⃣ Knowing this, repeated the same steps again to link victim@example.com, and used earlier link which was received on attacker@example.com to takeover victim@example.com account. Direct Account Takeover via Login with Facebook: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site prompted me to enter an email to link the FB account to an existing account since no email was shared from FB. Entered victim@example.com. It directly logged me into victim@example.com without any further verification, leading to a complete account takeover. Pre-Account Takeovers: Do you have a target app that heavily relies on a user's email domain to grant access to organizations or critical features based on whitelisted domains? Using this technique can help you bypass email verification requirements, allowing you to claim any email. Consequently, you may be able to access critical features of other organizations permitted for emails with the same domain. Lesson: Always test unusual login flows by logging in with a 3rd party provider without sharing email with the target site. These designs can be flawed and lead to nice bounties! 💰 #BugBounty #CyberSecurity #HackerOne #bugcrowd #securitytips #bugbountytips
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: https://portswigger.net/polls/top-10-web-hacking-techniques-2024
LAKERS FINALLY WIN!!! 😭🔥 LeBron: 22 PTS | 9 AST | 5 REB | 2 STL AD: 22 PTS | 11 REB | 4 AST | 2 BLK | 2 STL Hachimura: 23 PTS (season high) Christie: 16 PTS | 2 STL | 1 BLK Vincent: 14 PTS (season high) https://t.co/VNYekAVczQ
🚨COUP ALERT!!!🚨 Top Pentagon Advisor FIRED After Revealing Plot To “Protect People From Trump!” Advisor To The Joint Chiefs Of Staff Admits To Participating In A “Huge Meeting With Military Leaders” To Undermine Trump In Undercover Video! » X STREAMhttps://x.com/i/broadcasts/1mrGmMyZDdQGyML https://t.co/GgZk4nixsn
Knocked her out damn 😳🤣 https://t.co/ZRuM53bcWN