"Yesterday’s flexibility has become today’s insurmountable technical debt."
Put it on my tombstone.
Put it on my tombstone.
November 13, 2025 at 12:16 PM
"Yesterday’s flexibility has become today’s insurmountable technical debt."
Put it on my tombstone.
Put it on my tombstone.
I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.
September 6, 2025 at 8:28 PM
I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.
Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.
New from 404 Media: viral woman's dating safety app Tea breached. 4chan taking peoples' uploaded photos, used to verify its a woman-only app. App recently hit no. 1 in App Store. “DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” www.404media.co/women-dating...
Women Dating Safety App 'Tea' Breached, Users' IDs Posted to 4chan
“DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!” the thread read before being deleted.
www.404media.co
July 25, 2025 at 3:39 PM
Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.
Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!".
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Zigazoo too, Another Firebase Boogaloo
GCP security at "The World's Largest Social Network for Kids!"
amenbreakpoint.com
July 21, 2025 at 1:52 PM
Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!".
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.
jazz is the brown notes you _don't_ play
May 30, 2024 at 8:29 PM
jazz is the brown notes you _don't_ play