Sam Curry
@zlz.bsky.social
Reposted by Sam Curry
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...
samcurry.net
January 23, 2025 at 5:44 PM
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Reposted by Sam Curry
Documentary on Hackers Who Get Paid to Hack Companies. @CyberNews interviewed Bryce (@realytcracker), Ben (@NahamSec), Sam Curry (@zlz), Frederik (@stokfredrik), Neiko (@_specters_), Vanya (@BusesCanFly), Phoenix (LilRed), André (@0xacb).
December 16, 2024 at 3:49 PM
Documentary on Hackers Who Get Paid to Hack Companies. @CyberNews interviewed Bryce (@realytcracker), Ben (@NahamSec), Sam Curry (@zlz), Frederik (@stokfredrik), Neiko (@_specters_), Vanya (@BusesCanFly), Phoenix (LilRed), André (@0xacb).
Reposted by Sam Curry
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
portswigger.net
December 4, 2024 at 3:17 PM
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Reposted by Sam Curry
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 9:10 AM
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Does anyone know the max size limit for Bluesky usernames? The DNS and everything resolves correctly for this (253 characters), but it seems to throw 400 bad request when I actually try to assign it.
November 25, 2024 at 6:48 AM
Does anyone know the max size limit for Bluesky usernames? The DNS and everything resolves correctly for this (253 characters), but it seems to throw 400 bad request when I actually try to assign it.