Critical Thinking - Bug Bounty Podcast Episode 146: Hacking Horror Stories
Oct 30, 2025
Get ready for a spooky ride as hosts share chilling bug bounty horror stories! From a browser extension leaking employee tokens to a live hacking event gone wrong with a massive zip file, the tales are gripping. Hear about accidental disruptions, like sysprepping a hypervisor and getting fired over a disruptive XSS tool. They explore the risks of weak credentials in guest Wi-Fi and how an open banking hack led to account takeovers. It's a mix of thrills and tech as they unveil the scariest sides of hacking!
AI Snips
Chapters
Transcript
Episode notes
Bug Bounty Trends To Watch
- HackerOne report stats show bounties and valid reports are rising year-over-year, with $81M paid in the latest cycle.
- Misconfigurations, IDORs and improper access control are trending up, so focus recon on those areas.
Better File Writes From SQLite Injection
- Use CREATE VIEW with ATTACH DATABASE for SQLite injection file writes to avoid character restrictions.
- Prefer this view-based write technique when you need more flexible payload characters for bash or RC pollution.
Extension Token Led To Internal Access
- Brandyn found a private Firefox extension that sent an auth header enabling internal network access when matched to a crafted subdomain.
- The extension's token allowed remote access to internal apps, and callbacks revealed employee interaction.