home > posts
  • March 23, 2025
    HD Moore
    @hdm

    Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps.

    Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.

    You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/

    ↪ reply
  • March 22, 2025
    HD Moore
    @hdm

    Good morning from Bootstrap`25[1] in Austin, Texas! Haroon Meer kicks us off with "Security Products Don't Have To Suck", which makes many great points, but among those that most security industry "awards" are hot garbage play-to-win trophies, run by the same marketing agencies under a dozen aliases (but often the same Google Analytics ID):

    1. https://cfp.ringzer0.training/ringzer0-bootstrap25-austin/

    ↪ reply
  • March 18, 2025
    HD Moore
    @hdm

    Pat Gray, Founder of Risky Business, Joins Decibel as Founder Advisor. Great interview at
    https://www.decibel.vc/articles/pat-gray-founder-of-risky-business-joins-decibel-as-founder-advisor

    ↪ reply
  • March 15, 2025
    HD Moore
    @hdm

    Texas hacker-people - Ringzer0's BOOTSTRAP25 conference is in Austin, Texas one week from today (Friday night mixer, Saturday day conference)! Mixer tickets are $70, full-day conference pass for Saturday (including workshops) is $249. It should be an amazing event and I hope to see you there!

    Registration @ https://ringzer0.regfox.com/bootstrap25-austin
    Schedule @ https://cfp.ringzer0.training/ringzer0-bootstrap25-austin/schedule/

    ↪ reply
  • March 15, 2025
    HD Moore
    @hdm

    The worst part of the Unciphered story isn't that accused-rapist Morgan Marquis-Boire was a co-founder and only his alias "Frank Davidson" was known to employees; it is that Eric Michaud co-founded the company with him and conspired to keep the team from knowing about it. Infosec has its pariahs for a reason (Cap'n Crunch, Jacob Applebaum, Morgan Marquis-Boire, and to a lesser degree Christopher Hadnagy): https://archive.ph/IQ7SK

    ↪ reply
  • March 10, 2025
    HD Moore
    @hdm

    The Tarlogic claim of backdoor functions in the ESP32 Bluetooth firmware seems overblown. The features they identified require privileged code execution and are helpful for improving open source software for these devices.

    Useful resources:

    - https://darkmentor.com/blog/esp32_non-backdoor/
    - https://x.com/naehrdine/status/1898703255883886909
    - https://esp32-open-mac.be/ (WiFi, not BT, but similar work)

    ↪ reply
  • February 25, 2025
    HD Moore
    @hdm

    Hanno Böck (of badkeys.info among other projects) posted an interesting article about OpenID Connect implementations that mix up their public and private keys: https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html

    ↪ reply
  • February 23, 2025
    HD Moore
    @hdm

    It doesn't look like Chris Hadnagy's lawsuit against DEF CON is going well: https://www.reddit.com/r/Defcon/comments/1ivo7x0/hadnagy_vs_defcon_et_al_motion_for_summary

    >Hadnagy complains that Def Con’s statements harmed his reputation. But a person earns their reputation, good or bad, through their actions.

    ↪ reply
  • February 20, 2025
    HD Moore
    @hdm

    Congratulations to Charles Blas for winning the runZero hacktop raffle at CruiseCon 2025! This is a GPD Pocket 3 running Ubuntu Mate, preloaded with a fully licensed, offline version of the runZero Platform. You can find pictures and Charle's take at: https://www.linkedin.com/posts/charlesblas_cruisecon2025-activity-7298351951610552320-TD4m/

    ↪ reply
  • February 19, 2025
    HD Moore
    @hdm

    runZero Hour - Episode 15 is LIVE now on YT: https://www.youtube.com/watch?v=BF5G_lGkNzo

    ↪ reply
  • << View newer posts View older posts >>

Copyright 1998-2025 HD Moore