Seclog - #141

📚 SecMisc

• InfoconDB Security Information Database – InfoconDB is a database and resource for security information and conference data. Explore

📰 SecLinks

• Bypassing CSP with JSONP Exploits – Introducing JSONPeek and CSP B Gone tools to bypass Content Security Policies using JSONP endpoints, demonstrating a novel exploitation technique. Read More

• Zendesk Android App Mass Account Takeover – Details a 0-click exploit granting access to all Zendesk tickets via the Android app, a critical account takeover vulnerability. Read More

• Malicious ghrc.io Domain Analysis – Investigation reveals the ghrc.io domain appears to be malicious, posing a potential supply chain threat to developers. Read More

• Apple DNG Vulnerability and Threat Detection – Deep dive into CVE-2025-43300's DNG processing flaw and detecting the ELEGANTBOUNCER threat without samples, highlighting advanced forensic techniques. msuiche.com

• AI-Powered Ransomware Proof-of-Concept Emerges – First spotted AI-powered ransomware PoC uses automated targeting and negotiation, marking a new evolution in cyber threats. Read More

• Microsoft Partner Leak Exposes Employee PII – A leak from a Microsoft partner exposed employee PII and over 700 million partner records, a massive data exposure. Read More

• Vtenext 25.02 Multiple RCE Paths – Analysis reveals a three-way path to remote code execution in Vtenext 25.02, a critical software vulnerability. Read More

• s1ngularity Supply Chain Attack on GitHub – The s1ngularity attack leaked secrets on GitHub, a significant supply chain incident affecting numerous projects. Read More

• PyPI Prevents Domain Resurrection Attacks – The Python Package Index implements measures for preventing domain resurrection attacks, enhancing ecosystem security. Read More

• RubyGems.org OSS Infrastructure Protection – How RubyGems.org protects critical open-source infrastructure, detailing their security response and community safeguards. Read More

• Hunting postMessage Vulnerabilities Guide – First part of a guide on hunting postMessage vulnerabilities, a common client-side attack vector. Read More

• How to Rob a Hotel Physical Pentest – A story and analysis from a physical penetration test, illustrating how to rob a hotel. Read More

• SANS Notes Increase in ZIP File Searches – The SANS Internet Storm Center diaries note an increasing searches for ZIP files, a potential malware distribution trend. Read More

• Claude Code WebSocket Auth Bypass – CVE-2025-52882 details a WebSocket authentication bypass in Claude Code extensions, a critical MCP vulnerability. Read More

• Anthropic Detects and Counters AI Misuse – August 2025 update on detecting and countering misuse of AI, outlining new threats and mitigation strategies from Anthropic. Read More

• Agentic Browser Indirect Prompt Injection – Investigate Agentic Browser Security vulnerabilities, specifically indirect prompt injection in Perplexity Comet. This highlights how AI agents can be manipulated through external content. Read More

• Perplexity Comet Indirect Prompt Injection – Brave Security Labs discusses Agentic Browser Security, focusing on indirect prompt injection in Perplexity Comet. This vulnerability allows for manipulation of AI agents via embedded content. Read More

🐦 SecX

• Chrome Logic Sandbox Escape $250k Bounty – Bug spotlight on a Chrome Ipcz cross-process handle spoofing issue, a severe sandbox escape earning a $250,000 bounty. Watch Here

• PromptLock Ransomware Uses Lua Scripts – ESET Research details how PromptLock leverages cross-platform Lua scripts to enumerate, exfiltrate, and encrypt data on Windows, Linux, and macOS. Watch Here

• Novel LLM System Prompt Insertion Jailbreak – A novel jailbreak using prompt insertion, not injection, into the actual system prompt, making defenses nearly impossible. Watch Here

• YubiKey OATH App as File Storage – The YubiKey OATH app allows naming accounts with base64, turning it into a tiny covert file storage for red teams. Watch Here

🎥 SecVideo

• Hacking Google to Delete Search Results – A video demonstrating a method for hacking Google to delete ANY search result, a significant SEO and reputation manipulation vulnerability. Watch Here

💻 SecGit

• Exotic XSS Techniques Repository – A GitHub repository dedicated to exotic XSS techniques, a resource for advanced web application security testing. Explore on GitHub

• Phishing Template Workbench on GitHub – The phishingclub/templates repo provides a phishing template workbench for security testing and awareness simulations. Explore on GitHub

• CVE-2025-57752 GitHub Advisory – GitHub Advisory for CVE-2025-57752, detailing a specific security vulnerability and its patches. Explore on GitHub

• Inline Style Exfiltration Research – PortSwigger research on leaking data with chained CSS conditionals, a novel inline style exfiltration technique. Explore on GitHub

• Phrack CTF Binary Exploitation Challenge – The chompie1337/PhrackCTF repo contains a binary exploitation challenge from Phrack CTF. Explore on GitHub

• Legba Multiprotocol Credentials Bruteforcer – The evilsocket/legba tool is a fast multiprotocol credentials bruteforcer, password sprayer, and enumerator. Explore on GitHub

• ChatGPT Dan Jailbreak Gist – A gist containing the ChatGPT-Dan-Jailbreak, a known method for bypassing AI content restrictions. Explore on GitHub

For suggestions and any feedback, please contact: securify@rosecurify.com