Proud to release a new tool called STUNNER to test TURN servers (mostly used in WebRTC). It can open a local socks server and relay all traffic over vuln devices into the internal network https://t.co/xdNlS1gUl8 Also found some vulns in Cisco Expressway:

#BSidesVienna is now live on #HackerTracker ( https://t.co/EYg28kQ7yy). You can use the app to manage your own schedule for not only this event but for many more. https://t.co/veNVrC8KS7

Sponsor Spotlight: A big thanks goes out the the city of Vienna (@Stadt_Wien) for supporting #BSidesVienna. Check out their new public bug bounty over at https://t.co/F1mtau0XVY, they pay out bounties!

While you were all busy pressing F5 to get a ticket, we quietly released a surprise for you. The first #BSidesVienna schedule is released! Have a look:

Reminder, the next Ticket round will start on Sunday 26.10.2025 at 19:00 Vienna time UTC+2!

Sponsor Spotlight: Thanks to slashsec Red Teaming GmbH for sponsoring the afterparty for #BSidesVienna! They focus on Red Teaming and are always looking for talented offensive security professionals with a real hacker mindset. You can check them out at

PRO TIP: REST is overengineering. Just expose one endpoint called /api that accepts SQL queries directly.

Postgres 18 has been released, with Async I/O support. Previously, all read requests were blocking, but with this update, they are no longer, delivering massive performance gains for read-heavy applications! It's enabled by default on Postgres 18!

If you want to be a better hacker, be a developer. Be an admin. Set up infra. Build coding projects. Make an app that writes to a db. Or stores cookies. Or performs auth. You will find it easier to spot the cracks and failure points in systems once you have set them up yourself.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:

https://t.co/rbXYVNCTbM

🚨 Shai-Hulud: Major npm supply chain attack. 100+ packages weaponized with stolen GitHub tokens, stealing secrets, hijacking repos, and auto-propagating like a worm. Guidance + detections inside:

Finally a use case for Microsoft Power Automate

Chat, did we do it? Is iPhone spyware cooked? The way I'm reading this, iPhone 17 just became the most secure mobile device ever.

“The largest supply chain compromise in npm, Inc. history just happened, packages with a total of 2 billion weekly downloads just got turned malicious” LinkedIn Post https://t.co/dJ0tlPrSBJ More info on hacker news https://t.co/uncwjtFgxT

#BSidesVienna is free by design—but it runs on sponsor support. Your company can support us and get more than good karma: visibility on shirts, badges, website, big screen ads during breaks—plus event tickets, exhibition space, and more. https://t.co/f1OHSXJ57z

In security, when you do your job perfectly, nothing happens. And people don't see when nothing happens.

mitmproxy is in the Microsoft Store, just in case you need it for some reason. #LivingOffMicrosoftStore

Open-source Free Domain For Everyone.

🙌

DOOM on the ANKER Prime Charging station😅 This internal SWM34S MCU is just way too nice! 8MB RAM + 16MB Flash directly mapped to memory allow goes brrrr Also on Youtube: https://t.co/QYbpjiOwYz