← Find more feeds

rss.ricterz.me

HackerOne Hacker Activity

Get the latest updates from HackerOne Hacker Activity directly as they happen.

Follow now 109 followers

Latest posts

Last updated about 4 hours ago

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check

about 4 hours ago

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access...

Read full

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

2 days ago

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

Read full

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

2 days ago

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Read full

Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)

4 days ago

Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced...

Read full

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator

5 days ago

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses...

Read full

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

5 days ago

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink...

Read full

CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

5 days ago

CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as...

Read full

CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

5 days ago

CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on...

Read full

curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c)

6 days ago

curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in...

Read full

curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds

6 days ago

curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds

Read full

curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

6 days ago

curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

Read full

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

6 days ago

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

Read full

Or log in

Everything you care about in one place

HackerOne Hacker Activity

Latest posts

Rocket.Chat: Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)

curl: Credentials forwarded to HTTP after HTTPS→HTTP same-port redirect — url_set_data_creds uses scheme-blind comparator

curl: curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write

CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

CoinMate.io: HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

curl: HTTP/2 proxy CONNECT tunnel unbounded 1xx chain (missing Curl_bump_headersize cap in cf-h2-proxy.c)

curl: CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds

curl: TLS peer-verification bypass via mid-transfer ssl_config mutation

curl: TLS verifyhost bypass in rustls, mbedTLS, and wolfSSL when verifypeer=0

Try Feeder for free