Skip to content

Instantly share code, notes, and snippets.

View Tomoli75's full-sized avatar

Thomas Tomoli75

  • England, United Kingdom
View GitHub Profile
@hackermondev
hackermondev / research.md
Last active July 24, 2025 05:10
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@stong
stong / cups-browsed.md
Last active January 15, 2025 14:08
CUPS disclosure leaked online. Not my report. The original author is @evilsocket

Original report

  • Affected Vendor: OpenPrinting
  • Affected Product: Several components of the CUPS printing system: cups-browsed, libppd, libcupsfilters and cups-filters.
  • Affected Version: All versions <= 2.0.1 (latest release) and master.
  • Significant ICS/OT impact? no
  • Reporter: Simone Margaritelli [[email protected]]
  • Vendor contacted? yes The vendor has been notified trough Github Advisories and all bugs have been confirmed:

Loqui is archived. Please see the modrinth page for more information.

@korakot
korakot / plugin_domains.txt
Last active March 22, 2025 06:56
Chatgpt plugin domain list
dmtoolkit.magejosh.repl.co
seo-plugin.orrenprunckun.com
talkfpl.beegreeeen.workers.dev
videohighlight.com
aiplugin-experiences.owlting.com
www.nani.ooo
jetbook.click
imageeditor.dev
api.speedybrand.io
c-resume.copilot.us
@adalinesimonian
adalinesimonian / block-the-blue.md
Last active December 27, 2024 22:02
Block all verified Twitter accounts on screen
@wycats
wycats / 1-decorator.md
Last active April 13, 2024 17:25
Thoughts on readonly accessor decorators in TypeScript

Getter-Only Auto-Accessor Decorators

Broadly speaking, the idea is that you should be able to create an accessor decorator that doesn't expose a setter.

I think the most natural way to express this is for the set function returned by an accessor decorator to have a never return type. The idea is that such a decorator would result in the type system treating the resulting field as if it was a manually written getter without a setter.

Here's an example scenario:

import { Friend } from "hypothetical-lib";
@pepsipriest
pepsipriest / from synapse discord.md
Created October 12, 2022 22:31
Hyperion: What will happen, what has happened what you should do

Hyperion: What will happen, what has happened what you should do

Context:Ik I make a lot of claims even tho I am not a part of any exploit dev team, but I've known most of the OGs for a very long time and I've been here circa 2018. I'm writing this based on my experience as a script developer and my talks with exploit devs. If you don't believe me, then 🤷

TL;DR

No, Roblox exploiting is not going to die. Anybody that thinks doomsday is coming is believing in the fear, uncertainty and doubt being spread by the people that jumped too quickly to conclusions. Obviously Roblox acquiring an anti-cheat company is alarming, but not as alarming as most people make it out to be. This doesn't mean that Roblox exploiting will be left unaffected, however. A lot of exploits will crash and burn, and they won't go peacefully. Let's take a look at what could happen:

  • It is very likely that API-based exploits like WeAreDevs will die. They don't have the resources to maintain their upkeep, unlike (some) mor
@aileftech
aileftech / hex-colors.txt
Created October 1, 2022 18:10
A Bash one-liner to produce a list of HEX color codes that read like (supposedly) valid English words
$ grep -P "^[ABCDEFabcdefOoIi]{6,6}$" /usr/share/dict/words | tr 'OoIi' '0011' | tr '[:lower:]' '[:upper:]' | awk '{print "#" $0}'
#ACAD1A
#B0BB1E
#DEBB1E
#AB1DED
#ACAC1A
#ACCEDE
#AC1D1C
#BAB1ED
#BA0BAB
@Aizistral
Aizistral / MINECRAFT_BANS.md
Last active February 14, 2024 05:32
Research on Minecraft's global bans

Research on Minecraft's global bans

Date: 02.09.2022
Last Update: 24.12.2022
Author: Aizistral
In collaboration with: ejaussie, also known as British Empireball#3906

While I wish this could have been conducted sooner, this is the first verifiable ban case where I could contact the person banned. Some couple weeks ago I even purchased second Minecraft account with the sole intent of committing what would appear as bannable offense and being reported by one of my friends afterwards, which I sucessfully did; however, no action from moderation team followed. At the time this lead me to conclude that reports are not yet actioned on, which was perfectly explainable by unfixed exploits with chat reporting in 1.19.2. This case might indicate that reports are indeed actioned now, at least since the date of this research, but it is also possible that ban occured due to automated chat monitoring on Realms (see [Our Commitment to Player Safe