#Tag
Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!
Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!
Hacked Monster Energy 💀
They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.
https://bobdahacker.com/blog/monster-energy
#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty
Hacked Monster Energy 💀
They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.
https://bobdahacker.com/blog/monster-energy
#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty
Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦
What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)
History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours
Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.
News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/
Edit: If you have Twitter Please retweet this. This guy was one of the CO Founders of Lovense and got kicked out like how Mark Zuckerburg from Facebook did to one of his Co-Founders
https://x.com/LovenseDispute/status/1879155775865589995
#InfoSec#BugBounty#ResponsibleDisclosure#Security#Vulnerability#IoT #cybersecurity
Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦
What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)
History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours
Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.
News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/
Edit: If you have Twitter Please retweet this. This guy was one of the CO Founders of Lovense and got kicked out like how Mark Zuckerburg from Facebook did to one of his Co-Founders
https://x.com/LovenseDispute/status/1879155775865589995
#InfoSec#BugBounty#ResponsibleDisclosure#Security#Vulnerability#IoT #cybersecurity
»Wegen KI-Schrott – Curl-Entwickler erwägt Ende der Bug-Bounty-Prämien:
Minderwertige Bug-Reports belasten Open-Source-Entwickler immer stärker. Curl-Maintainer @bagder zieht nun radikale Maßnahmen in Erwägung.«
Lasst mich raten, IT-Konzerne belasten Developer von Werkzeugen, die sie Täglich selber nutzen. Was ist daran intelligent oder gar künstlerisch?
/s
#curl #opensource #web #internet #ai #ki #belastung #entwickler #kischrott #bugbounty
Death by a thousand slops
https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
A space for Bonfire maintainers and contributors to communicate
