Critical Thinking - Bug Bounty Podcast

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds LeakFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!====== Resources ======v1 Instance Metadata Service protections bypassWould you like an IDOR with that? Leaking 64 million McDonald’s job applicationsHow we got persistent XSS on every AEM cloud site, thriceGoogle docs now supports export as markdownAbusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke)How I Scanned all of GitHub’s “Oops Commits” for Leaked SecretsBug bounty, feedback, strategy and alchemy====== Timestamps ======(00:00:00) Introduction(00:05:39) Metadata Service protections bypass & Mcdonalds Leak(00:12:30) Christmas in July with Searchlight Cyber Pt 1(00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting(00:23:56) Christmas in July with Searchlight Cyber Pt 2(00:27:39) GitHub’s “Oops Commits” for Leaked Secrets(00:36:53) Bug bounty, feedback, strategy and alchemy

Dive into the intriguing world of hacking as Valentino shares his transition from Minecraft exploits to tackling Google vulnerabilities. Discover creative approaches like bypassing HTML sanitizers and exploiting .NET deserialization. Learn about the challenges of reverse proxy vulnerabilities and the importance of innovative thinking in uncovering security flaws. The discussion highlights personal journeys, community engagement in hacking, and advanced methodologies for identifying bugs in cutting-edge technologies like AI.

Dive into the future of bug bounties as human hackers collaborate with AI, revolutionizing vulnerability discovery. Explore the intricate challenges of tokenization and its implications for effective hacking mentorship. Unpack the complexities of language models and the intriguing phenomenon of AI 'hallucinations.' Discover the vital role of context engineering in ensuring accurate validations, making sense of how AI is reshaping the cybersecurity landscape. It's an engaging discussion on the evolution of hacking in the age of artificial intelligence!

Delve into the vulnerabilities of self-XSS and the complexities of blind SSRF attacks, unveiling the latest research on HTTP redirect techniques. Explore the innovative applications of AI in reversing minified JavaScript and improving code security. Hear about exciting new tools like Lumintus for better bug bounty documentation and the implications of URL spoofing linked to Google font ligatures. This engaging discussion combines technical insights with the evolving landscape of web security.

The discussion kicks off with recent controversies in the bug bounty world and the advocacy for hackers. Key highlights include innovative hacking techniques around file formats and insights into compensation for zero-click vulnerabilities. There's a deep dive into the role of AI in cybersecurity, including novel exploits like 'Echo Leak.' The hosts celebrate community achievements while introducing tools like Newtowner for cloud security. Finally, they explore advanced tactics, including monetizing social media interactions and enhancing strategies with Chrome's dev tools.

Dive into the fascinating world of AI vulnerabilities, where personal experiences illuminate the challenges of hacking AI systems. Discover unique exploits like prompt injection that can manipulate AI interactions, exposing sensitive data. Hear about innovative tactics for uncovering AI flaws, including how hidden text can influence AI behavior. The conversation also emphasizes the necessity for creative approaches in identifying vulnerabilities and the importance of corporate support for AI bug bounty programs.

Discover strategies for succeeding at live hacking events! Learn about vital pre-event preparations and techniques for focus during the event. The discussion goes into post-event collaboration and maintaining a positive mindset throughout the process. Plus, hear about personal experiences and the importance of engaging with the bug bounty community. Get ready to optimize your approach and connect with fellow hackers.

Join the hosts as they tackle the latest in bug bounty news, including Louis Vuitton's new program and a serious OpenPGP.js vulnerability. They share insights on balancing the flexibility of bug hunting with structured approaches for success. Discover the art of mentoring novices, advanced exploitation techniques, and the significance of automating cybersecurity efforts. Plus, hear about the transition to full-time bug bounty hunting and the joys it brings, along with reflections on personal achievements in the hacking journey.

The discussion dives into mastering prompt injection, showcasing how emotional tactics can manipulate AI models. Key AI vulnerabilities are explored, with insights into bug hunting tools and recent leaks. The comparison between Google's AI technologies highlights advanced exploitation techniques. Emphasizing meticulous testing, the hosts share strategies for recognizing and categorizing vulnerabilities. The episode wraps up with a sneak peek into future content on emerging risks within AI exploitation, encouraging listeners to engage on social media.

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Check out the CTBB Job Board: https://jobs.ctbb.show/Today’s Guests:Zak Bennett : https://www.linkedin.com/in/zak-bennett/Ciarán Cotter: https://x.com/monkehackRoni Carta: https://x.com/0xLupin====== Resources ======We hacked Google’s A.I Gemini and leaked its source codehttps://www.landh.tech/blog/20250327-we-hacked-gemini-source-code====== Timestamps ======(00:00:00) Introduction(00:03:02) An RCE via memory corruption(00:07:45) Zak's role at Google and Google's AI LHE(00:15:25) Different Components of AI Vulnerabilities(00:24:58) MHV Winner Debrief(01:08:47) Technical Takeaways And Team Strategies(01:28:49) LHE Experience and Google VRP & Abuse VRP