the420.in
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-20.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-20 2026 | Mass Exploitation of Gravity SMTP Plugin Exposes Enterprise API Keys GloballyAPI Sec | Tool for mass exploitation of Gravity SMTP plugin, registered as CVE-2026-4020, which leaks enterprise API keys globally. The vulnerability arises from an unauthenticated API endpoint that unconditionally returns "true" for permission checks, allowing attackers to retrieve detailed server configurations including web server versions, document roots, and active extensions. This high-fidelity reconnaissance data, alongside exposed API credentials for services like AWS, Google, Mailjet, and Zoho, facilitates targeted attacks and the weaponization of trusted email supply chains. |
| 2026-06-15 2026 | 124 Days To Fix Out Of Scope Bug: AMD Faces Backlash From Cyber CommunityBug Bounty | Writeup detailing a vulnerability in AMD's software updater, where insecure HTTP download links and weak verification mechanisms could allow for man-in-the-middle attacks and remote code execution. The researcher, MrBruh, reported the flaw to AMD via Intigriti, but it was initially deemed out of scope, leading to a 124-day embargo before a patch was released. The incident also sparked backlash due to AMD's retroactive changes to its bug bounty program, imposing strict disclosure restrictions and potentially discouraging responsible vulnerability reporting. |
| 2026-06-12 2026 | Researcher Brutecat Uses Claude AI To Crack Google API SecurityAPI Sec | Writeup detailing how Claude AI assisted a researcher in discovering over 20 critical vulnerabilities across 1,500 Google APIs and internal systems, earning over $500,000 in bug bounty rewards. The process involved analyzing Google's API discovery documents, extracting thousands of API keys from Android and iOS applications, and leveraging AI for automated audits of access-control weaknesses. Vulnerabilities affected services like Google Voice, Fiber, YouTube, advertising platforms, and Vertex AI Search, with some enabling unauthorized access to sensitive user data and account control. |
| 2026-06-08 2026 | Microsoft Threat Intelligence Exposes Prompt Injection Flaw In Anthropic Claude Code ActionAPI Sec | Library for securing AI coding agents, this entry details a prompt injection vulnerability discovered by Microsoft in Anthropic's Claude Code GitHub Action. The flaw allowed attackers to steal sensitive credentials and access tokens by embedding malicious instructions within issues, leading the AI agent to read restricted runner files like `/proc/self/environ`. Anthropic patched the vulnerability by reinforcing sandboxing around the Read tool and blocking access to sensitive procfs files. |
| 2026-04-12 2026 | Could Sock Puppeting Be the New Trick Jailbreaking Major LLMs?AI | Technique for jailbreaking LLMs using "sockpuppeting" exploits assistant prefill APIs across major models like Gemini 2.5 Flash and GPT-4o-mini. This method injects a fake acceptance message into the assistant's role, forcing models to bypass safety guardrails and generate prohibited content, including malicious exploit code and system prompts. Providers like OpenAI and AWS Bedrock mitigate this by blocking assistant prefills entirely, while platforms like Google Vertex AI are susceptible due to differing message handling. Security teams are advised to incorporate this vulnerability into AI red-teaming and implement API-layer message ordering validation. |
| 2026-04-02 2026 | Agentic OSINT: The Next Evolution Of Intelligence GatheringOSINT | Walkthrough of Agentic OSINT, an evolution in intelligence gathering where goal-driven AI agents autonomously plan, execute, adapt, and collaborate to achieve specific intelligence objectives. This paradigm shift, contrasting with traditional Generative AI's pattern identification, multiplies analytical capabilities by orchestrating multiple agents for tasks like data collection, verification, and threat mapping, enabling proactive, mission-oriented workflows for cybersecurity professionals. |