im renwa

I'm not sad nor disappointed maybe god has better plans for me (Surah Al-Baqarah 2:216). Let’s still continue with the security research and bug bounties and see where it leads us :)

I have been hired 3 times from different companies in the past years and couldn't get onboard even after signing contracts. The 1st one we had payment transfer issues, the 2nd one was a legal thing, and now the 3rd one the company changed their mind and no longer accepts remotes.

I should invest more in consoles.

It looks like the top window URL length is not applied to blob: URI's which with a very long blob+hash fragment we can fully crash most browsers. https://t.co/GjjBMJwIIr Most WebKit (Safari) browsers and Firefox, also if you load the URL in X for iOS

2 new address bar spoofing vulnerabilities in Safari < iOS 26.1, CVE-2025-43493 and CVE-2025-43503. At this point no browser is safe and will bring my total spoofing bugs to about 100 across all the browsers. https://t.co/teGtWZSoOF

Every top is another time’s bottom, whether it goes up or dips I’ll always be the buyer. $btc

If we don’t reach AGI by 2030, we could see a market crash bigger than the dot-com bubble and the financial crisis.

And this is not an easy task to add a javascript: bookmarklet on top of a controlled opened tap with even hiding the js uri, this flow shows the steps required which lead to this vulnerability

[0-day UNPATCHED] Chrome iOS UXSS Using iOS Shortcuts and Bookmarklets Not a full critical UXSS but still can be used to do damages, it's funny Chromium devs doesn't know of how iOS internals/features work and calling it like (downloading an executable) https://t.co/0DGZRcTJlS

[Medium] CVE-2025-10290: Opening links via the contextual menu in Firefox Focus for iOS would not update the toolbar UI correctly, allowing attackers to spoof address bar. https://t.co/bnYW2R4mXU

[High] CVE-2025-43327: Safari < 26.0 ,Visiting a malicious website may lead to address bar spoofing. 8 down, X remaining https://t.co/e3LvfMuGv2

Something I never shared: Around this time 10 years ago, at 15, I became #1 security researcher on OpenBugBounty platform with 2013 XSS reports, including top domains which didn't have bug bounty programs back then. https://t.co/kPrx9IcyhV

For anyone saying this is not a vulnerability please educate yourselves. Thanks @ericlaw https://t.co/5pGWQK9Bri

Since Apple doesn’t care, I don’t care either. Here are the details of an address bar spoof vulnerability in Safari on Mac using custom cursor overlap - Apple said it’s *not* a vulnerability. https://t.co/7bW1P39iS1

When CTF meets Bug Bounty At WACON CTF Finals 2023 I created an Opera challenge. Only one solver: @lj1nu . Turns out his unintended solve uncovered a real UXSS in Opera Browser that could leak URLs & takeover any account that uses OAuth flow! https://t.co/xUYr4OfZOB

New bugs :) CVE-2025-55030 [High] Content-Disposition headers incorrectly ignored allowing XSS attacks CVE-2025-55032 [High] Focus incorrectly ignores Content-Disposition headers allowing XSS attacks CVE-2025-9183 [Low] Firefox desktop address bar spoof with user interaction

10 years on HackerOne and bug bounties

New Blog Post: Disclosing "PermissionJacking," a Safari bug that lets websites trick you into giving camera, mic, gps... access. After a lengthy back-and-forth, Apple's decision is that this is not a security issue, I disagree. Includes new attack vector https://t.co/C5OYB2CCPf

Here is video POCs iOS steal iCloud data: https://t.co/j1Tqph2gf8 iOS Camera access: https://t.co/STzaftQnwi Mac steal iCloud data: https://t.co/rKH3VmUZrt Mac Camera access:

This blow up let me add some info to it, reported this back in November and Apple also said it was a critical thing and sent me a sensitive message to not disclose it we will patch in Spring.