Critical Thinking - Bug Bounty Podcast

Delve into the vulnerabilities of self-XSS and the complexities of blind SSRF attacks, unveiling the latest research on HTTP redirect techniques. Explore the innovative applications of AI in reversing minified JavaScript and improving code security. Hear about exciting new tools like Lumintus for better bug bounty documentation and the implications of URL spoofing linked to Google font ligatures. This engaging discussion combines technical insights with the evolving landscape of web security.

The discussion kicks off with recent controversies in the bug bounty world and the advocacy for hackers. Key highlights include innovative hacking techniques around file formats and insights into compensation for zero-click vulnerabilities. There's a deep dive into the role of AI in cybersecurity, including novel exploits like 'Echo Leak.' The hosts celebrate community achievements while introducing tools like Newtowner for cloud security. Finally, they explore advanced tactics, including monetizing social media interactions and enhancing strategies with Chrome's dev tools.

Dive into the fascinating world of AI vulnerabilities, where personal experiences illuminate the challenges of hacking AI systems. Discover unique exploits like prompt injection that can manipulate AI interactions, exposing sensitive data. Hear about innovative tactics for uncovering AI flaws, including how hidden text can influence AI behavior. The conversation also emphasizes the necessity for creative approaches in identifying vulnerabilities and the importance of corporate support for AI bug bounty programs.

Discover strategies for succeeding at live hacking events! Learn about vital pre-event preparations and techniques for focus during the event. The discussion goes into post-event collaboration and maintaining a positive mindset throughout the process. Plus, hear about personal experiences and the importance of engaging with the bug bounty community. Get ready to optimize your approach and connect with fellow hackers.

Join the hosts as they tackle the latest in bug bounty news, including Louis Vuitton's new program and a serious OpenPGP.js vulnerability. They share insights on balancing the flexibility of bug hunting with structured approaches for success. Discover the art of mentoring novices, advanced exploitation techniques, and the significance of automating cybersecurity efforts. Plus, hear about the transition to full-time bug bounty hunting and the joys it brings, along with reflections on personal achievements in the hacking journey.

Episode 123: In this episode of Critical Thinking - Bug Bounty Podcast we’re back with part 2 of Rez0’s miniseries. Today we talk about mastering Prompt Injection, taxonomy of impact, and both triggering traditional Vulns and exploiting AI-specific features.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today’s Sponsor - ThreatLocker User Storehttps://www.criticalthinkingpodcast.io/tl-userstore====== This Week in Bug Bounty ======Earning a HackerOne 2025 Live Hacking Invitehttps://www.hackerone.com/blog/earning-hackerone-2025-live-hacking-inviteHTTP header hacks: basic and advanced exploit techniques exploredhttps://www.yeswehack.com/learn-bug-bounty/http-header-exploitation====== Resources ======Grep.apphttps://vercel.com/blog/migrating-grep-from-create-react-app-to-next-jsGemini 2.5 Pro prompt leakhttps://x.com/elder_plinius/status/1913734789544214841Pliny's CL4R1T4Shttps://github.com/elder-plinius/CL4R1T4SO3https://x.com/pdstat/status/1913701997141803329====== Timestamps ======(00:00:00) Introduction(00:05:25) Grep.app, O3, and Gemini 2.5 Pro prompt leak(00:11:09) Delivery and impactful action(00:20:44) Mastering Prompt Injection(00:30:36) Traditional vulns in Tool Calls, and AI Apps(00:37:32) Exploiting AI specific features

Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Check out the CTBB Job Board: https://jobs.ctbb.show/Today’s Guests:Zak Bennett : https://www.linkedin.com/in/zak-bennett/Ciarán Cotter: https://x.com/monkehackRoni Carta: https://x.com/0xLupin====== Resources ======We hacked Google’s A.I Gemini and leaked its source codehttps://www.landh.tech/blog/20250327-we-hacked-gemini-source-code====== Timestamps ======(00:00:00) Introduction(00:03:02) An RCE via memory corruption(00:07:45) Zak's role at Google and Google's AI LHE(00:15:25) Different Components of AI Vulnerabilities(00:24:58) MHV Winner Debrief(01:08:47) Technical Takeaways And Team Strategies(01:28:49) LHE Experience and Google VRP & Abuse VRP

Episode 121: In this episode of Critical Thinking - Bug Bounty Podcast we cover so much news and research that we ran out of room in the description...Follow us on XShoutout to YTCracker for the awesome intro music!====== Links ======Follow Rhynorater and Rez0 on X:====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord!We also have hacker swag!====== This Week in Bug Bounty ======Hacker spotlight: RhynoraterUltra Mobile BB Program - Mobile AppsUltra Mobile BB Program - (Public)John Deere ProgramJD's's BB Program Boosts CybersecurityDojo #41 - Ruby treasure====== Resources ======slonser 0-day in chromeCT Additional useful primitivesHow I made $64k from deleted filesCTBB episode with Sharon BrizinovRez0's Subdomain Link LauncherQwen3 Local ModelMay Cause Pwnageimport WAF bypassCaido DropAndre's tweet about encoded wordNahamconGemini prompt leakSVG Onload Handlers

In this engaging discussion, Eugene Lim, aka SpaceRaccoon, a vulnerability research expert and author of 'From Day Zero to Zero Day', tackles fascinating topics like binary analysis and fuzzing techniques. He highlights the crucial relationship between code interconnectedness and security vulnerabilities. The conversation also delves into dynamic analysis methods and the evolving landscape of IoT security, using unique case studies. Eugene's personal anecdotes and practical insights make the complex world of cybersecurity accessible and exciting for listeners.

Dive into the intriguing world of iframes and discover their hidden significance in web security. Learn about the vulnerabilities they pose and how attackers can exploit them through tactics like clickjacking. The discussion highlights essential attributes of iframes, along with fun facts that might surprise even seasoned security researchers. Join the conversation and uncover strategies for identifying and mitigating these risks in the ever-evolving landscape of cybersecurity.