sshell
@sshell_
Followers
10K
Following
39K
Media
893
Statuses
6K
ai + security research. ccdc red team. tummy ache survivor.
Virginia, USA
Joined June 2013
RT @samwcyo: When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) dis….
0
88
0
RT @jackhcable: Update: @cluely filed a DMCA takedown for my tweet about their system prompt, alleging that it contained "proprietary sourc….
0
282
0
And remember, even though they announce a “winner” every year, we all know @CCDCRedTeam is the real winner 😂. Huge shouts out to @1njection @alexlevinson @egyp7 @Hultoko and everyone else who I had the privilege of playing with this year!.
0
0
3
New blog post about all the fun I had red teaming at @NationalCCDC this year!.Covers some of the fun we had this year specifically relating to the web side of things, as well as some tips and resources for competitors & those interested in participating.
3
48
172
Used this trick go find a bug in a big AI app where I could read everyone’s private conversations!. TLDR: You can do greater/less-than queries against UUIDs because in Supabase they’re stored like 128-bit integers. Thanks to @rez0__ and @Rhynorater for the shoutout on the pod!.
4
21
143
RT @infosec_au: To kick off our Christmas and July research posts, we explain how we achieved persistent XSS on every Adobe Experience Mana….
0
38
0
RT @greglesnewich: Fun crossover blog about TA829 (RomCom) & TransferLoader with my ecrime pals it’s got everything:. 🛰️ Popped routers for….
0
21
0
RT @infosec_au: We’re celebrating Christmas in July this year, starting July 1st. We’ll release a security research post on Searchlight Cyb….
0
15
0
RT @infosec_au: How do we turn bad SSRF (blind) into good SSRF (full response)? The @assetnote Security Research team at @SLCyberSec used a….
0
179
0
RT @jackhcable: I reverse engineered @cluely – and their desktop source code exposes their entire system prompts and models used. What's i….
0
502
0
RT @binarygolf: BGGP6 will happen fall/winter 2025 instead of our usual summer event! Stay tuned for more details.
0
10
0
i'm so hired of seeing these 16 BILLION CREDENTIALS LEAKED!!! stories. it was like 15 billion of the SAME CREDENTIALS last time the news ran this tired clickbait story. It will be 17 billion next time.
4
2
28
RT @birchb0y: excited bc today @HuntressLabs is releasing our analysis of a gnarly intrusion into a web3 company by the DPRK's BlueNoroff!!….
0
95
0
RT @spaceraccoonsec: To everyone who pre-ordered "From Day Zero to Zero Day" – thank you for your patience. The wait is almost over. We'r….
0
30
0
when i talk about o3-pro being impressive at thinking through security problems, this is the kind of answer i'm talking about. the answers i get from every other model (gemini pro 2.5 and normal o3 included) is essentially just different flavors of "response hashing and regex".
@vmfunc when asking "how to fingerprint web apps without version numbers" o3-pro said all of the normal stuff, but THEN also went down to checking for function similarity at the javascript bytecode level and a "train a simple TF‑IDF + cosine similarity classifier" to map bundle versions.
0
0
3