Mastodawn

TIL: the #39c3 DECT network also covers at least part of the Radisson hotel. I was just woken up by a call from someone to my DECT.
Have to switch it off next night.
Well, not much harm done, my alarm would have woken me up soon anyway for my Angel shift at 04:00 in the Cloakroom Lost and Found.

BobDaHacker 🏳️‍⚧️Dec 28

Call me on my DECT Phone, late-night when you need my love:

24630
24630
24630
24630

#39c3 #hamburg

BobDaHacker 🏳️‍⚧️Dec 27

I'm at 39C3 you can call me at 24630

Ok
#39C3 #ccc #gay #cybersecurity #germany #hamburg #likeandshare #penis

BobDaHacker 🏳️‍⚧️Dec 27

🐱 New Blog Post: Petlibro Smart Pet Feeder Vulnerabilities (Partially Fixed, $500)

Found critical vulns in Petlibro - one of the biggest smart pet feeder companies:

Auth bypass via broken OAuth - just need Google ID (public info via Google APIs) to login as anyone
Access any pet's data, devices, serial numbers, MAC addresses
Hijack any device - change feeding schedules, access cameras
Access private audio recordings (mealtime messages to pets)
Add yourself as shared owner to any device

The worst part? They "fixed" the auth bypass by making a new endpoint... but left the old vulnerable one active for "legacy compatibility." Two months later, still working.

Also tried to get me to sign an NDA AFTER paying the bounty. That's not how contracts work.

Full writeup: https://bobdahacker.com/blog/petlibro

#InfoSec #BugBounty #ResponsibleDisclosure #IoT #Petlibro #Security #Privacy #CyberSecurity #SmartHome #OAuth

Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks

How I found critical vulnerabilities in Petlibro smart pet feeders allowing complete account takeover via broken OAuth, access to anyone's pet data, device hijacking, and private audio recordings - and how they're still leaving the auth bypass active for 'legacy compatibility' two months later.

BobDaHacker 🏳️‍⚧️Dec 26

🎵 New Blog Post: Bandsintown Verification Bypass (Fixed, $200 + Swag)

Found a way to claim any unclaimed artist page on Bandsintown without verification:

Discovered API endpoint from requesting to join Bieber's team
Used same endpoint on Rick Astley (unclaimed) - bypassed all OAuth/social verification
Got full access to 191k followers, their emails, names, locations
Could send push notifications and post as any unclaimed artist (including diddy xd)

I could have rickrolled 191k people for real. I did not.

Bandsintown handled it well - fast fix, honest about bounty limitations, shipped me swag.

Also found a new bypass while writing this - currently disclosing responsibly.

Full writeup: https://bobdahacker.com/blog/bandsintown

#InfoSec #BugBounty #ResponsibleDisclosure #Bandsintown #Security #Privacy #CyberSecurity #RickAstley #APISecuity #Music

Bandsintown: How I Almost Rickrolled 191k People

How I found a verification bypass in Bandsintown that let anyone claim unclaimed artist pages with a single API call - including Rick Astley's 191k followers, their emails, and the ability to send push notifications as any artist.

BobDaHacker 🏳️‍⚧️Dec 26

🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty

What I found:

"Expiring" videos didn't expire, URLs stayed valid forever
Decrement attachment ID = anyone's private videos
Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
Fake system messages (made a Raid Shadow Legends sponsorship lol)

The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.

This is how disclosure should work. Take notes, Lovense.

Full writeup: https://bobdahacker.com/blog/taimi-idor

#InfoSec #BugBounty #ResponsibleDisclosure #IDOR #Taimi #DatingApp #Security #Privacy #CyberSecurity #LGBTQ