#insomnihack — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #insomnihack, aggregated by home.social.
-
Spent the night at Insomni'hack and had a blast — huge thanks to the organisers for putting together such a great event. Awesome challs and a seriously solid setup. @1ns0mn1h4ck
#insomnihack #insomnihack2026 #CTF #OCD #OrangeCyberDefense #CTFTime
-
Spent the night at Insomni'hack and had a blast — huge thanks to the organisers for putting together such a great event. Awesome challs and a seriously solid setup. @1ns0mn1h4ck
#insomnihack #insomnihack2026 #CTF #OCD #OrangeCyberDefense #CTFTime
-
Spent the night at Insomni'hack and had a blast — huge thanks to the organisers for putting together such a great event. Awesome challs and a seriously solid setup. @1ns0mn1h4ck
#insomnihack #insomnihack2026 #CTF #OCD #OrangeCyberDefense #CTFTime
-
Spent the night at Insomni'hack and had a blast — huge thanks to the organisers for putting together such a great event. Awesome challs and a seriously solid setup. @1ns0mn1h4ck
#insomnihack #insomnihack2026 #CTF #OCD #OrangeCyberDefense #CTFTime
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
#infosec #insomnihack #privacy
ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
#infosec #insomnihack #privacy
ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
#infosec #insomnihack #privacy
ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
#infosec #insomnihack #privacy
ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.
-
Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.
Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.
So many things wrong with this..
- We just told them which company to look up, no verification at all.
- Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
- Storing a screenshot of a personal machine from an employee is absolutely not okay.
- and so much more...
When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨
Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.
#infosec #insomnihack #privacy
ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.
-
Attending #Insomnihack this week? Don't miss our researcher @pspaul breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
-
Attending #Insomnihack this week? Don't miss our researcher @pspaul breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
-
Attending #Insomnihack this week? Don't miss our researcher @pspaul breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
-
Attending #Insomnihack this week? Don't miss our researcher @pspaul breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
-
Attending #Insomnihack this week? Don't miss our researcher @pspaul breaking down various unsafe patterns attackers can abuse to compromise your GitHub Actions workflows!
-
We saw some supply-chain attacks on Linux distrubtions during #insomnihack. There an attacker would've been able to insert random code into packages. Now it seems to be the same for Fedora:
Which makes me wonder why they went through all that trouble with the XZ Utils backdoor (https://en.wikipedia.org/wiki/XZ_Utils_backdoor)? The frontdoor seems to be wide open!
-
Get ready for the CTF (https://insomnihack.ch/contest/) #insomnihack
@1ns0mn1h4ck -
An interesting fact from the first talk at #insomnihack
-
#insomnihack 2025 - keynote from Mathias Payer. I always like if a researcher presents a slide like this in 30 seconds by going over it "something, something, something" :)
But as always very interesting and eye-opening what kind of (non-)security we're relying on daily.
-
Almost found an XSS, but a sanitizer got in your way? Check out our talk at #Insomnihack today!
We explain mutation-based XSS (mXSS), an advanced technique that can bypass sanitizers, along with real-world vulnerabilities and exploits.
-
How can an attacker take over your whole network using only your SSH public key 🔑?
If you are at #Insomnihack this week: Come find out in our talk about hacking the open-source bastion host JumpServer.