Hey! and welcome to another THEY BURNED MY BUG episode. This time, we introduce CVE-2025-25257. An SQLi that I spotted back in Feb. in case someone burn them before i get my bragging rights8157d42995395ba0c0cfccce37b934ebb63d3d5740ba43eda7fa853f389bca2a8fc4ca6426ae50c7673326eacb6644a8b361ad1051138d04cbd9da8b807a0973— faulty *ptrrr (@0x_shaq) February 9, 2025 This is a pre-auth SQLi bug that can be leveraged to an RCE in FortiWeb.
CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.
Citrix are still declining to comment about evidence of exploitation as of writing.
Belkin WEMO to shut down cloud operations and cripple WEMO iot devices in January 2026
How's that AI coding going for you? Ah... I see.
Wired: McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’
"... Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers...."
https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/
I just saw copilot leave "[nitpick]..." PR comments. Given that these things just reflect a probabilistic sample of our own writing back at us, I am even more convinced that programmers are bad at using programming tools. And that this is in large part driven by the need and desire to perform constant displays of dominance.
So vast swathes of projects just never set up linters or style guides. Because they don't know how. And because they don't want to learn. Because it would reduce their opportunity to make "[nitpick]..." comments on other people's PRs. And thus, so does copilot
Are you still on #Spotify?
Spotify’s CEO Daniel Ek has raised €600M for his new startup, which is developing AI TECH FOR WAR. Ek still owns 9% of Spotify, but has 37% voting control. His net worth went from $2.5B to $10B in the last two years alone, on the back of paying musicians a pittance in royalties.
And don’t forget:
• Spotify spent $250M of your subscription dollars to invite Joe Rogan to spew his disinformation on their platform.
• They’re still trying to embrace and extinguish Podcasts.
• They’re developing in-house, AI-generated “music” so users will play them (royalty-free) instead of music created by humans (who demand royalty).
And now, he’s using his wealth, created by your subscriptions, to fund tech that will use AI to literally murder humans in war.
Stop funding him. Quit Spotify now.
#QuitSpotify #music #ai #militaryTech #techbro
“Spotify’s CEO invests $1 billion into an AI military start-up — and musicians are fuming”
Those #github commits you removed with sensitive data are still accessible. I didn't know this
GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.
Two recent statements from the surveillance company—one addressing Illinois privacy violations and another defending the company's national surveillance network—reveal a troubling pattern: when confronted by evidence of widespread abuse, Flock Safety has blamed users, downplayed harms, and doubled...
Marco Ivaldi
Kevin Beaumont
AI6YR Ben
Jenniferplusplus
Joseph Cox
Dave Rahardja
Unlogic
Electronic Frontier Foundation
Danni Storm 🇺🇦 🇺🇦