Critical Thinking - Bug Bounty Podcast Episode 149: DEFCON Debrief: AI Vulns, Unicode Weirdness, and Wild Vulnerability Chains
12 snips
Nov 20, 2025 This week, hosts dive into highlights from DEFCON, discussing groundbreaking research on exploiting cloud VPNs and the security pitfalls of smart devices. They explore the curious world of Unicode surrogates and their impact on database queries. The conversation moves to the risks associated with passkeys and potential vulnerabilities in GraphQL access controls. Not to be missed, they dissect innovative techniques for DOM clobbering and the clever use of calendar invites for security breaches. Tune in for insights on hacking and cutting-edge tools!
AI Snips
Chapters
Transcript
Episode notes
Stop Rotating Models After ROI Drops
- Limit agent rotations per vulnerability class to the point of diminishing returns to maximize ROI on compute resources.
- Reallocate compute saved from over-rotating to scan more endpoints for higher total vuln yield.
Score Hosts With a Feature Checklist
- Use a feature checklist to score hosts (GraphQL, forms, password reset, etc.) and focus on the highest-ranked targets first.
- This simple scoring cut their scan surface significantly and increased focus on promising attack surfaces.
Semantic Deduplication Beats Hashing
- Embeddings let you compare meaning rather than brittle hashes or screenshots, enabling semantic deduplication across dynamic content.
- Cosine similarity on text vectors highlights true duplicates and clusters unusual targets for review.