🕵️ MLT 🧙♂️
@0dayWizard
Followers
5K
Following
2K
Media
28
Statuses
1K
Cybersec researcher & exploit developer w/ emphasis on webapp security. Former #TeaMp0isoN + former Founder of Project Insecurity LTD + founder of Bug0xF4.
keybase.io/0dayWizard
Joined July 2021
I'm rarely able to access twitter these days, so if anyone needs me for any reason then then I can be contacted via matrix, telegram, or Keybase. Matrix: worldwickedweb@matrix.org .Telegram: Libuuid2.Keybase:
1
0
6
Been writing a script to make post-exploitation on *nix easier for beginners, here's what I've added so far. If anyone can think of more functionality to add then please let me know. I've made a primitive UI to make it easier for beginners to use (rather than cmdline args)
0
0
7
Does anyone know how I contact @ChainLands ? The Project Insecurity LTD member who was from NL?. Need to contact him ASAP.
0
1
1
Is there anything specific about this vuln that makes it more noteworthy than the thousands of other vulns that get reported to NASA?.
2
0
1
Why is this even news? Someone reported a vuln to the VDP of probably the least secure .gov site in existence and somehow this is newsworthy?. Does anyone even know what type of attack vector it was? Is there a writeup? I fail to see what makes this "breaking news".
BREAKING NEWS 🚨 📢 . 14 year old Yuvraj Gupta, who lives in Kanpur, Uttar Pradesh, has done a great feat. Hesaved the website of American space agency NASA from hackers. NASA has included him in the 'Hall of Fame' and also given him a letter of recognition.
6
1
6
I asked this like a year ago but didn't get a response. everything else for my chain is still working so I'll ask again. Does anyone currently have JSNOP callback or open redirection in *.paypalobjects.net? . I'll split the bounty with you if you've got one.
1
0
3
I swear @elonmusk has singled me out for the sole purpose of trolling me. my tweets for my blog posts disappear then as soon as I repost them, the original tweets suddenly reappear 🙃.
0
0
1
[Zerodays] -- a list of 0days found by myself and/or members of Project Insecurity LTD (my old cybersecurity firm) over the years:. This list will be constantly getting updated as there are hundreds more PoC's that I still need to add to the list.
0
0
4
[BLOG POST] - BBP writeup, escalating a "useless" HTMLi to PI via a chain involving charset spoofing, CSS Injection, and dangling markup injection to leak PII:.
0
1
7
For some reason my tweets with my most recent blog posts have disappeared so I'll repost them I guess.
0
0
1
Hmm, weird. Can anyone see the 2 new blog posts that I tweeted out and/or the tweet I made linking to my "exploits" repo on my GitHub?. They were visible for me yesterday but for some reason I can no longer see the tweets. it's like they've disappeared from my timeline.
4
0
2
Lol, to you and the other 5 accounts that sent me the exact same message. if you're going to attempt to scam someone who works in cybersecurity via a fake kraken support email I think you're going to have to try a LOT harder than that 🙃.
@0dayWizard Its a minor glitch. I recommend you to reach out to their phantom support team immediately for a swift resolution. I had a similar issue, and it was promptly resolved when I contacted they official support at (phantomhelpdesk.fix@gmail.com) wish you good luck. .
0
0
0
Does anyone know how long transactions in kraken tend to be stuck as "pending" for?.I deposited some money around 18 hours ago using "easy bank transfer" via an account I've used for deposits hundreds of times. Every other time it's been deposited instantly but this one is stuck.
14
0
5
I just accidentally took over the blog of someone called Tiffany since their email address contained "MLT" in the first part. Unsure how to contact her so I left a message there:. I guess I can at least score a bounty for this accidental finding, lol.
Lol, oops. I just inadvertently found a WordPress zeroday that allows me to compromise the blog of anyone who has the same letters in the first part of their email as mine (for example if my email is mlt@example.com and theirs is mlt@something-else.com).
0
0
7
Lol, oops. I just inadvertently found a WordPress zeroday that allows me to compromise the blog of anyone who has the same letters in the first part of their email as mine (for example if my email is mlt@example.com and theirs is mlt@something-else.com).
0
0
2
Blog post: The "Triangle Paradox", when security risk outweighs benefits of functionality (with real-world example with HTMLi/XSS in Facebook): .
0
0
5
Note: . My PoC had intentionally been tweaked a little to prevent it from working -- the reasoning for that is because their "patch" was easily bypassed when I first published this, by simply using a <portal> tag instead of iframe. I'll publish the full PoC later since its fixed.
The danger of #XSS when SOP can't help you. By @0dayWizard .
0
0
1
BBP Writeup: Turning a "useless" HTMLi into a P1 (definitely one of the more fun and unique methods I've ever used to escalate a HTMLi): .
1
1
6
I've started to slowly publish my old 0day exploits found either by myself or members of Project Insecurity LTD (my old cybersecurity firm). They can be found here:. I've got hundreds more to post still, so this list will constantly be getting updated.
1
1
22
This has got to be the most insane ASCII art I've ever seen. at first I assumed it ANSI art due to the level of detail but nope it's coloured regular ASCII art
3
3
13