In continuation of the research done by @silascutler, last week I scanned the entire Internet and generated JARM fingerprints from all the hosts listening on port 443. Check out:

Firemon helps you to concurrently scan several endpoints at once and help discover misconfigurations like Data Exposures and Firebase takeover cases! It comes with several user-based customisations, which you can learn about through the README (.

When I went through the news, I realised that there's a need for a tool which can help folks identify such misconfigurations in Firebase endpoints, something which even the Bug bounty folks could benefit from.

The recent Tea App Data breach serves as a stark reminder that orgs and individuals need to prioritise the security of Firebase endpoints!.

🚨 New Tool Release.Firemon - A fast, concurrent CLI tool to scan Firebase URLs for vulnerabilities! .Repo :

I also believe these tools will be serve as a great “integration” but not replacement of existing security workflows. At the same time it opens several doors for existing vendors/tools to integrate with these platforms to further solidify their analysis/scanning.

Some people especially those who do bug bounty feel that these tools could affect their careers/discoveries but honestly I just see this as a time to start learning more niche or complex attacks where these tools will likely fail.

Too much of noise around AI-powered security tools/products in the last couple of weeks. Honestly I don’t see something like @Xbow or @HacktronAI completely replacing security teams but providing an additional layer of scanning surface level as well as some exceptional cases.

About to submit a CFP that will redefine the way we see and implement digital surveillance and spatial monitoring in the modern day! Announcement coming soon 🤞😉.

RT @Xbow: When simple attack vectors fail, XBOW doesn't give up. ⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. H….

RT @0xacb: DMARC can reveal more domains associated with a target. lt;target-domain> allows you to find domains using….

Made my @topmateHQ profile today! HMU if you're an aspiring security guy :D.

RT @Xbow: Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterin….

RT @Xbow: Even mature products hide critical flaws – and @XBOW just found another one. CVE-2025-49493: XXE in Akamai CloudTest discovered….

RT @entarabicom: CPX Holding, a leading provider of cutting-edge cyber and physical security solutions and services, today announced the ac….

RT @mossab_hussein: 🕸️ Super excited about this new chapter for spiderSilk 2.0!.

RT @colossal: SOUND ON. You’re hearing the first howl of a dire wolf in over 10,000 years. Meet Romulus and Remus—the world’s first de-exti….

To read more about this research, check out our Medium post:

Its quite concerning to see the amount of PII voluntarily exposed by the people over such platforms but at the same time we believe Scribd and other document hosting platforms need to pay special attention to avoid PII from being publicly accessible.

The data constitutes of bank statements, salary slips, driving licenses, vaccine certificates, Adhaar/PAN cards, WhatsApp Chat exports and so much more!!.

Throughout this research we retrieved a whopping 13000+ PII docs just from the last one year targeting specific categories, which also means that this is just a tip of the iceberg! 😵‍💫.