appsec.fyi · Sources

the420.in

6 curated AppSec resources from the420.in across 4 topics on appsec.fyi.

the420.in

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-20.

Date Added Resource Excerpt
2026-06-20 2026Mass Exploitation of Gravity SMTP Plugin Exposes Enterprise API Keys GloballyAPI SecTool for mass exploitation of Gravity SMTP plugin, registered as CVE-2026-4020, which leaks enterprise API keys globally. The vulnerability arises from an unauthenticated API endpoint that unconditionally returns "true" for permission checks, allowing attackers to retrieve detailed server configurations including web server versions, document roots, and active extensions. This high-fidelity reconnaissance data, alongside exposed API credentials for services like AWS, Google, Mailjet, and Zoho, facilitates targeted attacks and the weaponization of trusted email supply chains.
2026-06-15 2026124 Days To Fix Out Of Scope Bug: AMD Faces Backlash From Cyber CommunityBug BountyWriteup detailing a vulnerability in AMD's software updater, where insecure HTTP download links and weak verification mechanisms could allow for man-in-the-middle attacks and remote code execution. The researcher, MrBruh, reported the flaw to AMD via Intigriti, but it was initially deemed out of scope, leading to a 124-day embargo before a patch was released. The incident also sparked backlash due to AMD's retroactive changes to its bug bounty program, imposing strict disclosure restrictions and potentially discouraging responsible vulnerability reporting.
2026-06-12 2026Researcher Brutecat Uses Claude AI To Crack Google API SecurityAPI SecWriteup detailing how Claude AI assisted a researcher in discovering over 20 critical vulnerabilities across 1,500 Google APIs and internal systems, earning over $500,000 in bug bounty rewards. The process involved analyzing Google's API discovery documents, extracting thousands of API keys from Android and iOS applications, and leveraging AI for automated audits of access-control weaknesses. Vulnerabilities affected services like Google Voice, Fiber, YouTube, advertising platforms, and Vertex AI Search, with some enabling unauthorized access to sensitive user data and account control.
2026-06-08 2026Microsoft Threat Intelligence Exposes Prompt Injection Flaw In Anthropic Claude Code ActionAPI SecLibrary for securing AI coding agents, this entry details a prompt injection vulnerability discovered by Microsoft in Anthropic's Claude Code GitHub Action. The flaw allowed attackers to steal sensitive credentials and access tokens by embedding malicious instructions within issues, leading the AI agent to read restricted runner files like `/proc/self/environ`. Anthropic patched the vulnerability by reinforcing sandboxing around the Read tool and blocking access to sensitive procfs files.
2026-04-12 2026Could Sock Puppeting Be the New Trick Jailbreaking Major LLMs?AITechnique for jailbreaking LLMs using "sockpuppeting" exploits assistant prefill APIs across major models like Gemini 2.5 Flash and GPT-4o-mini. This method injects a fake acceptance message into the assistant's role, forcing models to bypass safety guardrails and generate prohibited content, including malicious exploit code and system prompts. Providers like OpenAI and AWS Bedrock mitigate this by blocking assistant prefills entirely, while platforms like Google Vertex AI are susceptible due to differing message handling. Security teams are advised to incorporate this vulnerability into AI red-teaming and implement API-layer message ordering validation.
2026-04-02 2026Agentic OSINT: The Next Evolution Of Intelligence GatheringOSINTWalkthrough of Agentic OSINT, an evolution in intelligence gathering where goal-driven AI agents autonomously plan, execute, adapt, and collaborate to achieve specific intelligence objectives. This paradigm shift, contrasting with traditional Generative AI's pattern identification, multiplies analytical capabilities by orchestrating multiple agents for tasks like data collection, verification, and threat mapping, enabling proactive, mission-oriented workflows for cybersecurity professionals.