Date: 2025-09-25 22:22 UTC
Researcher: Joseph Goydish II
JGoyd
/ Apple System Data on AWS.md
Last active
September 26, 2025 15:47
Public DNS evidence shows Apple’s Safari, Spotlight, and Maps configuration data (api.smoot.apple.com) terminates on Amazon AWS (AS16509).
JWally
/ anon-age-verification.md
Last active
September 21, 2025 14:56
A zero‑storage, privacy‑preserving age check that leverages banks’ existing KYC — with the user as the transport layer.
- Banks sign an age claim, not an identity. They never learn which site you’re visiting.
- Merchants verify a short‑lived token against their own nonce and a one‑time WebAuthn key. No database required.
hackermondev
/ zendesk.md
Last active
September 26, 2025 09:58
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies
hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:
If you've spent some time online, you’ve probably come across Zendesk.
Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.
Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env -S bash -c "docker run -p 8080:8080 -it --rm \$(docker build --progress plain -f \$0 . 2>&1 | tee /dev/stderr | grep -oP 'sha256:[0-9a-f]*')" | |
| # syntax = docker/dockerfile:1.4.0 | |
| FROM node:20 | |
| WORKDIR /root | |
| RUN npm install sqlite3 |
cmoog
/ twitter-ad-free.md
Last active
October 18, 2024 15:02
Inject this css snippet to remove all ads from your Twitter timeline.
div[data-testid="placementTracking"]:has(path[d="M19.498 3h-15c-1.381 0-2.5 1.12-2.5 2.5v13c0 1.38 1.119 2.5 2.5 2.5h15c1.381 0 2.5-1.12 2.5-2.5v-13c0-1.38-1.119-2.5-2.5-2.5zm-3.502 12h-2v-3.59l-5.293 5.3-1.414-1.42L12.581 10H8.996V8h7v7z"]) {
display: none;
}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| from collections import deque | |
| import numpy as np | |
| import sounddevice as sd | |
| from beepy import beep | |
| from infi.systray import SysTrayIcon | |
| last_alert = time.time() - 10 | |
| q = deque(maxlen=200) |
milesrichardson
/ inherit_environment_variables_from_pid_1.md
Created
January 21, 2023 07:35
inherit environment variables from PID 1
You can inherit the environment variables from PID 1 by iterating over the list of null-terminated strings
in /proc/1/environ, parsing the first characters up to the first = as the variable name, setting the
remaining value as that variable, and exporting it.
The Code Snippet
This works with multiline environment variables, and environment variables with arbitrary values, like
strings, including = or JSON blobs.
Paste this in your current terminal session to inherit the environment variables from PID 1:
DavidBuchanan314
/ 00_writeup.md
Last active
June 2, 2025 05:02
Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.
In other words, we want an MD5 collision attack and a CRC32 preimage attack.
This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).
On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.
This script allows you to install unsigned extensions (ones that aren't approved by Mozilla) on normal Firefox builds and the official Snap! That's right, no "Firefox Developer Edition" nonsense required!
This script is not well tested, like at all. This script might break things, possibly important things. You should probably take a backup of your Firefox profile before using it. You have been warned.
sudo apt install -y curl unzip zip
# Only needed when jailbreaking the Snap
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "math/rand" | |
| "os" | |
| "github.com/miekg/dns" | |
| ) |
NewerOlder