🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.

🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code

The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂

Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.

Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus

#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability

🍔 Just collabed with @BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.

🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code

The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂

Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.

Full technical breakdown: https://bobdahacker.com/blog/rbi-hacked-drive-thrus

#InfoSec#CyberSecurity#ResponsibleDisclosure#Privacy#GDPR#API#GraphQL#SecurityResearch#VulnDisclosure#RestaurantBrands#BurgerKing#TimHortons#Popeyes #vulnerability

Interesting #vulnerability research writeup (that was published a few months ago)

Compromising #OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection

https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/#fnref:2

Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!

https://bm.gy/gwdrce3

#Cybersecurity#InfoSec#BugBounty#IndieSec#Vulnerability

Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!

https://bm.gy/gwdrce3

#Cybersecurity#InfoSec#BugBounty#IndieSec#Vulnerability

Interesting #vulnerability research writeup (that was published a few months ago)

Compromising #OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection

https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/#fnref:2

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

#cybersecurity #infosec #responsibledisclosure #vulnerability #ea #electronicarts

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

• Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
• TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
• GRS panel: Complete authentication bypass, arbitrary HTML injection
• Magicbell API keys/secrets exposed in client-side JS
• Algolia indexes listable with user PII
• CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

• Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
• TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
• GRS panel: Complete authentication bypass, arbitrary HTML injection
• Magicbell API keys/secrets exposed in client-side JS
• Algolia indexes listable with user PII
• CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev

🔒 Security Update for BotKit Users

We've released #security patch versions BotKit 0.1.2 and 0.2.2 to address CVE-2025-54888, a security #vulnerability discovered in #Fedify. These updates incorporate the latest patched version of Fedify to ensure your bots remain secure.

We strongly recommend all #BotKit users update to the latest patch version immediately. Thank you for keeping the #fediverse safe! 🛡️

#fedidev

We've released #security updates for #Hollo (0.4.12, 0.5.7, and 0.6.6) to address a #vulnerability in the underlying #Fedify framework. These updates incorporate the latest Fedify security patches that fix CVE-2025-54888.

We strongly recommend all Hollo instance administrators update to the latest version for their respective release branch as soon as possible.

Update Instructions:

• Railway users: Go to your project dashboard, select your Hollo service, click the three dots menu in deployments, and choose “Redeploy”
• Docker users: Pull the latest image with docker pull ghcr.io/fedify-dev/hollo:latest and restart your containers
• Manual installations: Run git pull to get the latest code, then pnpm install and restart your service

All #Fedify users must immediately update to the latest patched versions. A #critical authentication bypass #vulnerability (CVE-2025-54888) has been discovered in Fedify that allows attackers to impersonate any #ActivityPub actor by sending forged activities signed with their own keys.

This vulnerability affects all Fedify instances and enables complete actor impersonation across the federation network. Attackers can send fake posts and messages as any user, create or remove follows as any user, boost and share content as any user, and completely compromise the federation trust model. The vulnerability affects all Fedify instances but does not propagate to other ActivityPub implementations like Mastodon, which properly validate authentication before processing activities.

The following versions contain the #security fix: 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9, and 1.8.5. Users should update immediately using their package manager with commands such as npm update @fedify/fedify, yarn upgrade @fedify/fedify, pnpm update @fedify/fedify, bun update @fedify/fedify, or deno update @fedify/fedify.

After updating, redeploy your application immediately and monitor recent activities for any suspicious content. Please also inform other Fedify operators about this critical update to ensure the security of the entire federation network.

The safety and security of our community depends on immediate action. Please update now and feel free to leave comments below if you have any questions.

#fedidev

Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

Edit: If you have Twitter Please retweet this. This guy was one of the CO Founders of Lovense and got kicked out like how Mark Zuckerburg from Facebook did to one of his Co-Founders
https://x.com/LovenseDispute/status/1879155775865589995

#InfoSec#BugBounty#ResponsibleDisclosure#Security#Vulnerability#IoT #cybersecurity