Dylan
@insecurenature.bsky.social
Appsec and security hot takes.
Here's my bsidessf talk on using LLM's to self replicate and ransome the planet:
youtu.be/s4RKXTC8iuM
youtu.be/s4RKXTC8iuM
This is how you make an AI Ransomware Worm
YouTube video by Truffle Security
youtu.be
May 12, 2025 at 3:56 PM
Here's my bsidessf talk on using LLM's to self replicate and ransome the planet:
youtu.be/s4RKXTC8iuM
youtu.be/s4RKXTC8iuM
Reposted by Dylan
🔥 You can now add TruffleHog to Burp Suite!
🌐 Install it directly from the BApp Store
🔍Scan web traffic for live, verified credentials—active & exploitable
Because secrets don’t just leak in code… 😬
🔗 trufflesecurity.com/blog/introdu...
🌐 Install it directly from the BApp Store
🔍Scan web traffic for live, verified credentials—active & exploitable
Because secrets don’t just leak in code… 😬
🔗 trufflesecurity.com/blog/introdu...
March 13, 2025 at 4:57 PM
🔥 You can now add TruffleHog to Burp Suite!
🌐 Install it directly from the BApp Store
🔍Scan web traffic for live, verified credentials—active & exploitable
Because secrets don’t just leak in code… 😬
🔗 trufflesecurity.com/blog/introdu...
🌐 Install it directly from the BApp Store
🔍Scan web traffic for live, verified credentials—active & exploitable
Because secrets don’t just leak in code… 😬
🔗 trufflesecurity.com/blog/introdu...
Reposted by Dylan
The privacy concerns I have around the Eightsleep have kept me from buying one, the security concerns make me want to warn people about buying one:
trufflesecurity.com/blog/removin...
trufflesecurity.com/blog/removin...
Removing Jeff Bezos From My Bed ◆ Truffle Security Co.
Eight Sleep smart bed found to contain an exposed AWS key and a likely backdoor that allowed engineers to remotely access users' beds
trufflesecurity.com
February 21, 2025 at 10:50 PM
The privacy concerns I have around the Eightsleep have kept me from buying one, the security concerns make me want to warn people about buying one:
trufflesecurity.com/blog/removin...
trufflesecurity.com/blog/removin...
Reposted by Dylan
NEW: security researchers found what they say appears to be a backdoor into Eight Sleep beds, which could allow company engineers to SSH into any bed
in theory, they could see if you're home or not, if you're sleeping alone or with someone
in today's newsletter for @bloomberg.com
in theory, they could see if you're home or not, if you're sleeping alone or with someone
in today's newsletter for @bloomberg.com
February 21, 2025 at 8:50 PM
NEW: security researchers found what they say appears to be a backdoor into Eight Sleep beds, which could allow company engineers to SSH into any bed
in theory, they could see if you're home or not, if you're sleeping alone or with someone
in today's newsletter for @bloomberg.com
in theory, they could see if you're home or not, if you're sleeping alone or with someone
in today's newsletter for @bloomberg.com
Reposted by Dylan
🐷 Under the Hood of TruffleHog!
⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀
👉 trufflesecurity.com/blog/under-t...
⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀
👉 trufflesecurity.com/blog/under-t...
January 24, 2025 at 8:04 PM
🐷 Under the Hood of TruffleHog!
⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀
👉 trufflesecurity.com/blog/under-t...
⚡ Part 1 of 2: How Aho-Corasick + CPU optimizations deliver 11-17% faster scans with precomputed keyword matching. 🚀
👉 trufflesecurity.com/blog/under-t...
Forbes and Arstechnica ran a story on my research, neat! www.forbes.com/sites/daveyw...
Millions Of Sign-In-With-Google Users Warned Of Data-Theft Vulnerability
A security vulnerability in the “Sign In With Google” OAuth authentication process could allow attackers to access sensitive data from millions of accounts.
www.forbes.com
January 16, 2025 at 2:16 AM
Forbes and Arstechnica ran a story on my research, neat! www.forbes.com/sites/daveyw...
I wrote a blog about my shmoocon talk, check it out 👇
🚨Today we are announcing a new OAuth bug that affects millions of accounts
🌟 TLDR: Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees
👉 full blog: trufflesecurity.com/blog/million...
🌟 TLDR: Google’s OAuth login doesn’t protect against someone purchasing a failed startup’s domain and using it to re-create email accounts for former employees
👉 full blog: trufflesecurity.com/blog/million...
January 14, 2025 at 4:35 AM
I wrote a blog about my shmoocon talk, check it out 👇
I spoke at Shmoocon today and linked my Twitter and Blue Sky.
It led to:
+ 5 Twitter follows
+ 19 Blue Sky follows
It led to:
+ 5 Twitter follows
+ 19 Blue Sky follows
January 12, 2025 at 4:27 AM
I spoke at Shmoocon today and linked my Twitter and Blue Sky.
It led to:
+ 5 Twitter follows
+ 19 Blue Sky follows
It led to:
+ 5 Twitter follows
+ 19 Blue Sky follows
Reposted by Dylan
Vigilante Justice on GitHub. 🦇🦸
Here's how to spray painting on other fraudster's GitHub Activity Graph.
trufflesecurity.com/blog/vigilan...
Here's how to spray painting on other fraudster's GitHub Activity Graph.
trufflesecurity.com/blog/vigilan...
January 8, 2025 at 8:02 AM
Vigilante Justice on GitHub. 🦇🦸
Here's how to spray painting on other fraudster's GitHub Activity Graph.
trufflesecurity.com/blog/vigilan...
Here's how to spray painting on other fraudster's GitHub Activity Graph.
trufflesecurity.com/blog/vigilan...
Reposted by Dylan
🚨 10% of SaaS platforms mishandle GitHub OAuth tokens, opening potential backdoors into corporate accounts. 😱
⚠️ Extends to Azure, Slack & more—increasing risk with poor token handling.
🛑 The issue isn’t OAuth; it’s how platforms secure tokens.
👉 trufflesecurity.com/blog/mishand...
⚠️ Extends to Azure, Slack & more—increasing risk with poor token handling.
🛑 The issue isn’t OAuth; it’s how platforms secure tokens.
👉 trufflesecurity.com/blog/mishand...
December 19, 2024 at 9:57 PM
🚨 10% of SaaS platforms mishandle GitHub OAuth tokens, opening potential backdoors into corporate accounts. 😱
⚠️ Extends to Azure, Slack & more—increasing risk with poor token handling.
🛑 The issue isn’t OAuth; it’s how platforms secure tokens.
👉 trufflesecurity.com/blog/mishand...
⚠️ Extends to Azure, Slack & more—increasing risk with poor token handling.
🛑 The issue isn’t OAuth; it’s how platforms secure tokens.
👉 trufflesecurity.com/blog/mishand...
Hey Fidelity,
Now that CCP is literally in our phone networks-
Can you please stop making your customers rawdog their passwords over touch tone?
Thanks.
Now that CCP is literally in our phone networks-
Can you please stop making your customers rawdog their passwords over touch tone?
Thanks.
December 19, 2024 at 11:20 PM
Hey Fidelity,
Now that CCP is literally in our phone networks-
Can you please stop making your customers rawdog their passwords over touch tone?
Thanks.
Now that CCP is literally in our phone networks-
Can you please stop making your customers rawdog their passwords over touch tone?
Thanks.
Look up "Altoona Pizza", I can't even
December 12, 2024 at 2:56 AM
Look up "Altoona Pizza", I can't even
My Shmoocon talk got accepted!
I've never spoken at Shmoocon before, but I have been submitting every year for a while.
If you're wondering what it takes to get accepted at a conference the answer is a lot of rejection first.
I've never spoken at Shmoocon before, but I have been submitting every year for a while.
If you're wondering what it takes to get accepted at a conference the answer is a lot of rejection first.
December 10, 2024 at 3:54 AM
My Shmoocon talk got accepted!
I've never spoken at Shmoocon before, but I have been submitting every year for a while.
If you're wondering what it takes to get accepted at a conference the answer is a lot of rejection first.
I've never spoken at Shmoocon before, but I have been submitting every year for a while.
If you're wondering what it takes to get accepted at a conference the answer is a lot of rejection first.
Truffle Security is posting on Blue Sky now??
🐷 TruffleHog now decodes APKs to scan for secrets 🚀
💡 Why it matters:
🔍 APKs often leak secrets, but scanning was slow & complex.
🔓 Now it’s fast, efficient & scalable.
📊 Tested on WhatsApp & Facebook Messenger—up to 16.5x faster!
👉https://trufflesecurity.com/blog/cracking-open-apk-files-at-scale
💡 Why it matters:
🔍 APKs often leak secrets, but scanning was slow & complex.
🔓 Now it’s fast, efficient & scalable.
📊 Tested on WhatsApp & Facebook Messenger—up to 16.5x faster!
👉https://trufflesecurity.com/blog/cracking-open-apk-files-at-scale
December 9, 2024 at 5:40 PM
Truffle Security is posting on Blue Sky now??
I found an AWS key inside one of my household devices, does anyone want to guess which one?
December 7, 2024 at 7:51 AM
I found an AWS key inside one of my household devices, does anyone want to guess which one?
It's no secret Android apps have a lot of passwords and API keys in them.
TruffleHog can now find them, fast: trufflesecurity.com/blog/crackin...
TruffleHog can now find them, fast: trufflesecurity.com/blog/crackin...
Cracking Open APK Files at Scale ◆ Truffle Security Co.
TruffleHog now automatically decodes Android Package Kit (APK) files and searches them for secrets. It runs ~9x faster than using an external decompiler before calling TruffleHog.
trufflesecurity.com
December 5, 2024 at 3:59 AM
It's no secret Android apps have a lot of passwords and API keys in them.
TruffleHog can now find them, fast: trufflesecurity.com/blog/crackin...
TruffleHog can now find them, fast: trufflesecurity.com/blog/crackin...
I'll pay $200 bucks for a moxie robot. Seriously.
December 3, 2024 at 2:07 AM
I'll pay $200 bucks for a moxie robot. Seriously.
Truffle Security sponsors security research, in case anyone is tired of the conference loop: trufflesecurity.com/blog/announc...
Announcing Truffle Security’s CFP ◆ Truffle Security Co.
Have a security research idea? We’re sponsoring 2 projects a month. Your research will be featured on our blog, you get $1500 and you can still submit your research to conferences.
trufflesecurity.com
December 2, 2024 at 9:30 PM
Truffle Security sponsors security research, in case anyone is tired of the conference loop: trufflesecurity.com/blog/announc...
Technically you can satisfy data breach notification requirements by sending snail mail to those impacted, and never announcing publicly.
December 2, 2024 at 8:25 PM
Technically you can satisfy data breach notification requirements by sending snail mail to those impacted, and never announcing publicly.
How will code gen will change the security landscape?
AI will write code containing vulnerabilities, and humans won't know the first thing about it.
Then they will actively push to not be held accountable to review and fix it.
AI will write code containing vulnerabilities, and humans won't know the first thing about it.
Then they will actively push to not be held accountable to review and fix it.
November 29, 2024 at 10:56 PM
How will code gen will change the security landscape?
AI will write code containing vulnerabilities, and humans won't know the first thing about it.
Then they will actively push to not be held accountable to review and fix it.
AI will write code containing vulnerabilities, and humans won't know the first thing about it.
Then they will actively push to not be held accountable to review and fix it.
So do people use this app?
November 19, 2024 at 3:13 AM
So do people use this app?
Sometimes you find the shell, sometimes the shell finds you
July 5, 2023 at 10:27 AM
Sometimes you find the shell, sometimes the shell finds you
@twitchyliquid64.bsky.social is enjoying a coffee
May 14, 2023 at 7:22 PM
@twitchyliquid64.bsky.social is enjoying a coffee
A few years ago reports came out suggesting the NSA had hardware signing keys and used them to embed hardware level backdoors. Now, with MSI keys leaking, you can make your own https://nakedsecurity.sophos.com/2023/05/09/low-level-motherboard-security-keys-leaked-in-msi-breach-claim-researchers/
Low-level motherboard security keys leaked in MSI breach, claim researchers
What can you do if someone steals your keys but you can’t change the lock? We explain the dilemma in plain English.
nakedsecurity.sophos.com
May 12, 2023 at 8:12 PM
A few years ago reports came out suggesting the NSA had hardware signing keys and used them to embed hardware level backdoors. Now, with MSI keys leaking, you can make your own https://nakedsecurity.sophos.com/2023/05/09/low-level-motherboard-security-keys-leaked-in-msi-breach-claim-researchers/
Okay I'm posting my first.... What is this action? Sky? Am I skying?
May 8, 2023 at 7:23 PM
Okay I'm posting my first.... What is this action? Sky? Am I skying?