340 Followers
44 Following
256 Posts
Leaks, leaks everywhere.
Index of my public findshttps://jltee.substack.com/p/the-hub-of-stupi-misconfigs-index

I received an email earlier this week from EA asking if I wanted to be added to a public acknowledgement page they were creating for individuals who responsibly disclosed vulnerabilities to them.

For all the shit people give EA, of the 100+ companies I contacted in the last two years, they were the only company I would say had a decent incident response.

They fixed the issue within 12 hours after validating it as critical, and proactively provided me multiple updates over time.

When the IR was done on their side, they reached out again with some more information about the potential impact if the issue hadn't been solved quickly, and also offered me a reward.

I did not have to keep chasing anyone for updates, I wasn't asked for non-disclosure, or offered money in exchange for it, and people replied instead of ignoring me.

I wasn't blamed for their mistake, either, or reported to the authorities.

Unfortunately, at least one or multiple of the things mentioned above are present in most of my other incidents reported; it's a real shit show out there.

#cybersecurity #infosec #responsibledisclosure #vulnerability #ea #electronicarts

Finishing up and polishing my write up on that bullshit 16b article and this gif came to mind.

#cybersecurity #infosec #bullshit #fakenews #cybernews #infostealer

Some wild things I found exposed recently that I am actively trying to close down:

1) πŸ‡ΊπŸ‡Έ Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.

2) πŸ‡ΊπŸ‡Έ Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.

3) πŸ‡³πŸ‡Ώ A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.

Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.

#cybersecurity #infosec #responsibledisclosure #threatintel #readyouremail

Out of the 68,000 endpoints I've scanned for this service, it seems at least 5,200 of them have been hit (at least 1 file with .want_to_cry ext).

Likely an automated script just encrypting whatever it can, and is currently still going. I saw endpoints encrypted less than 24 hours ago (see image).

#cybersecurity #threatintel #infosec #ransomware

The latest ransom note on the server (other notes have been encrypted by the group that came after πŸ˜‚) claims the company can pay $400 to get their previously encrypted files. Sounds like a great deal to me.

#cybersecurity #threatintel #infosec #ransomware

"How many times has ransomware hit you?"

"Yes"

#cybersecurity #threatintel #infosec #ransomware

A company contacted me to pick a charity in New Zealand to donate $500 as acknowledgment of the work I and others do on identifying and raising Security issues.

I chose https://ihaveadream.org.nz/ and just got confirmation the donation was made.

It's great to know my work managed to contribute to a donation that will help kids through education. ❀️

#cybersecurity #infosec #newzealand #donations #charity #kids

Saw some guy on X that was passing as a security researcher and would just post links to the data when companies didn't reply.
Also discovered by talking with one of the companies he was asking them for money to not leak the data because according to him his work isn't free so I got his account banned, guess he gotta farm those 10k bots, I mean followers, again πŸ˜‚

GoHighLevel is an All-in-One Platform that was exposing publicly every attachment you might have saved from your contacts.

Not exactly sure when I'll make a detailed post about this one as I'm still trying to get the company to fully fix their stupidity:

2 emails sent, 2 servers that they disabled listing but whoever listed them before can still access over 10 million files  0 replies to my emails or concerns even though I am 100% sure they were read.

#cybersecurity #infosec #gohighlevel #crm #dataleak #leak

Bug bounty program tips to avoid accountability:

Create a form on your website to report vulnerabilities and make it so every report is instantly added to a "private" non-disclosure program on Bugcrowd.

Now if the researcher wants to disclose anything you don't want to they'll have to risk getting banned.

Hint: I don't care at all about the account I created just to help AFTER I reported it. My post will come later this week πŸ˜‚

#cybersecurity #infosec #scambounty #bugbounty #nondisclosure