Critical Thinking - Bug Bounty Podcast Episode 136: Hacking Cluely, AI Prod Sec, and How To Not Get Sued with Jack Cable
Aug 21, 2025
Jack Cable, founder of Corridor.dev and a former government cybersecurity expert, shares his insights on a significant bug in Cluely’s desktop application and the challenges of cybersecurity legislation. He explores the intersection of AI and application security, highlighting vulnerabilities and the potential of AI tools in software development. The conversation also delves into the legal risks facing ethical hackers, emphasizing the importance of obtaining permission and navigating complex laws like the Computer Fraud and Abuse Act. Jack's experiences illuminate both the opportunities and hurdles in the cybersecurity landscape.
AI Snips
Chapters
Transcript
Episode notes
Electron Apps Are Websites With Desktop Reach
- Electron apps are effectively websites, so XSS in rendered content can lead to severe desktop impacts.
- Lacking an Electron sandbox magnifies risk when remote content is opened inside the app.
Cluely Desktop App Screen Capture POC
- Jack Cable found that Cluely's Electron app exposed postMessage handlers that allowed arbitrary webpages to request screenshots.
- He built a POC that continuously captured the desktop after a user clicked a link, effectively recording the screen.
Make A Clear VDP With Safe Harbor
- Publish a vulnerability disclosure policy (VDP) as the baseline for responsible security research.
- Include legal safe-harbor language so researchers can report bugs without fear of legal action.