BrunoZero
@BrunoModificato
Followers
2K
Following
2K
Media
61
Statuses
427
CTFer for: @Water_Paddler / Security auditor @osec_io my writeups: https://t.co/XurIhbWdj7 24y
Joined December 2016
NEW: OAuth misconfigurations show how common dev settings can lead to account takeovers. Our second deep dive breaks down real cases where overlooking differences between desktop and mobile environments left SDKs, exchanges, and wallets open to exploits. https://t.co/QWABEOXcSU
osec.io
OAuth misconfigurations show how common dev settings can lead to account takeovers. Explore real cases where failing to account for differences between desktop and mobile environments left SDKs,...
0
13
49
NEW: The recent supply-chain attack on NPM exposed a fundamental vulnerability in the open-source ecosystem and the risks that lurk within our dependencies. We break down how the malware worked and practical defenses every dev should know โ https://t.co/ZeqAkFR2jo
osec.io
The recent supply-chain attack on NPM showed how easily trusted dependencies can become delivery vectors for malware. Learn how the attack worked and practical defenses developers can implement to...
2
10
36
As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today. MetaMask has multiple layers of defense to protect our products and users: - Basic Security: We lock our versions, don't push directly to main, have manual and automated
517
1K
7K
NEW: Proof of Reserves you can verify yourself. We teamed up with @Backpack to build PoRv2, a zero-knowledge system for fast, transparent solvency checks. More on how we designed it โ https://t.co/dfyVlrceRW
osec.io
Here, we explore zk-proofs, Merkle trees, and our new open-source implementation, PoRv2. Our proof-of-reserve enables users to verify exchange liabilities without relying on external auditors,...
22
26
145
Happy to talk there :)
Weโre excited to announce that Bruno Halltari (@BrunoModificato) will be speaking at the Bug Bounty Village at DEF CON 33! Stay tuned for more details on their talk, you wonโt want to miss it. #BugBounty #DEFCON #BBV #BugBountyVillage
6
6
37
I hope the AI hype ends soon: :'(. The quality of infosec reports and write-ups has been declining so much because of AI slop
2
1
21
Just completed this yesterday, it was fun with some cool tricks! It's been a while since I did a challenge, but I loved it. Thanks @joaxcar for the challenge
โฐ It's CHALLENGE O'CLOCK! ๐ Find the FLAG before Friday the 16th of May ๐ Win โฌ400 in SWAG prizes ๐ We'll release a tip for every 50 likes on this tweet Thanks @joaxcar for the challenge ๐ https://t.co/BSNkoC9oN3
0
0
4
New research ๐ซก
NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3. https://t.co/stjqbwuYsb
0
1
16
NEW: A few months ago, we uncovered an authentication bypass in Web3Auth that could have led to full account takeover. In this deep dive, we break down how we found the issue and expose other authentication misconfigurations lurking in Web3. https://t.co/stjqbwuYsb
4
35
118
Metamask team has some js chads
These folks are fenomenal. It was a privilege to work with them!
0
0
3
We just finished an audit for Lavamoat webpack plugin and found an interesting behaviour related to how the URL costruct() was handled. Here's the details ๐
1
5
30
If you like our research "Supply Chain Attacks: A New Era" please vote it :D. there is another article where I was involved " Zoom Session Takeover - Cookie Tossing Payloads" if you like that too pls feel free to vote it XD
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here:
0
0
18
I have so much fear every time I have to explain to a triager DOS via Cache Poison with some non conventional way.... pray for me ๐
0
0
13
our new look is here ๐จ we're ushering in the next chapter of HackMD with an updated logo, bold colors, and a new site. read more in our announcement below or check it out for yourself at https://t.co/07CTDhCcVt
https://t.co/pF0EHigZJc
hackmd.io
Check out HackMD's revamped look! After months of hard work and creativity, we are proud to unveil a fresh, modern look that reflects our growth and vision for the future.
12
36
143
Las Vegas is a city where everyone begs for tips even for doing something that requires 0 effort, not sure if it's an american thing or just Las Vegas
@josephfcox Defcon attendees are not the "ideal las vegas clients", that spend a lot at games and walk drunk like zombies all days getting scammed all over their way.. this was my 3rd Defcon, and got to the conclusion: Vegas is too hot, too expensive, fake,generally hostile to average hacker
0
0
6
New job research : 1) Check how Lavamoat can protect someone from supply chain attacks 2) A bypass on lavapack And some other fun stuff :)
NEW: Supply chain attacks are increasing in popularity in Web3. Lavamoat has emerged as a robust defense mechanism - but itโs not perfect. This blog spills the beans on some sneaky bypasses, and show how tricky it is to lock down JavaScript ecosystems. https://t.co/6THEVbd285
0
8
24
New blog! This time a high severity session takeover in Zoom worth $15,000. Read the story of how @sudhanshur705 , @BrunoModificato and I chained 2 completely useless XSS vulns to steal OAuth tokens, hijack browser permissions, and more: https://t.co/qVUgk5shqh
nokline.github.io
Here you can read all about my research and techniques Iโve gathered over time!
10
131
431
I think it's time for a solution โฐ TL;DR - Eventlet normalizes - to _ in header keys. - The Fetch spec blocks Transfer-Encoding but not Transfer_Encoding. - Bypass tracking policy on Firefox using open(). Detailed writeup ๐ https://t.co/2psVA68zlw 1/2
Small Challenge Time ๐ฉ Rules ๐ - You should display an alert containing the flag cookie :) If you find the solution, please do not send it in the comments; send me a DM instead ๐ฉ Challenge link and sources๐ - https://t.co/BZpI8F2oOg - https://t.co/cy7ecQXJVK
2
24
93