In this week's Seclog, the landscape of cybersecurity reveals a diverse set of challenges, ranging from sophisticated web application bypasses to the burgeoning risks associated with Artificial Intelligence. We see discussions on novel web exploitation techniques, such as CRLF injection leading to CSP bypass and SSRF vulnerabilities in widely used platforms, alongside critical cloud privilege escalation paths. A significant theme emerges around AI, with reports of vulnerable code generation by LLMs causing multi-million dollar losses, concerns about identity surveillance involving major AI players, and the rapid market impact of AI-related announcements on cybersecurity stocks. Furthermore, traditional hacking wisdom, trade secret theft, and the practicalities of breaking free from dominant tech ecosystems highlight ongoing struggles for privacy and digital independence, while official threat intelligence frameworks aim to standardize defense.

SecMisc #

Detaching from Big Tech Ecosystems - archive.md

Addresses the motivations and difficulties individuals face when attempting to reduce their reliance on major technology companies like Google, Apple, and Microsoft. Highlights concerns over advertising, data privacy, and conflicting values as key drivers for seeking alternatives.

GrapheneOS: Google/Apple Ecosystem Alternative - blog.tomaszdunia.pl

Shares a personal account of transitioning from a deeply integrated Apple ecosystem to GrapheneOS, emphasizing the pursuit of enhanced privacy and autonomy from major tech manufacturers. Explores the comprehensive shift across devices and services to achieve digital independence.

PagedOut Security Journal Release - pagedout.institute

References PagedOut, a publication dedicated to security research, providing access to a collection of technical articles and insights for the cybersecurity community. Offers in-depth content on various security topics, serving as a valuable resource for practitioners and researchers.

CERT-EU Cyber Threat Intelligence Framework - cert.europa.eu

Introduces the CERT-EU framework designed to standardize the classification, assessment, and prioritization of malicious cyber activities relevant to European Union entities. Provides a shared reference model to improve consistent reporting, alerting, and awareness-raising across the EU's cybersecurity ecosystem.

📰 SecLinks #

CRLF Injection Bypasses Strict CSP - siunam321.github.io

Demonstrates how CRLF injection in HTTP response headers can lead to reflected XSS, even when a strict Content Security Policy (CSP) is enforced. Introduces "Nested Response Splitting" as a technique to inject HTML into the response body by using two CRLF characters, effectively bypassing script-src 'self' directives.

Privilege Escalation via Service Account Impersonation - jdsec.cloud

Details a privilege escalation vulnerability where an authenticated attacker with "Manual Actions" permissions (part of the default Basic role) can achieve full Administrator access. Focuses on the exploitation of service account impersonation chains in cloud environments to escalate privileges.

SPIP Saisies Plugin Remote Code Execution - chocapikk.com

Describes an unauthenticated Remote Code Execution (RCE) vulnerability in the SPIP Saisies plugin (v5.4.0 - v5.11.0), achievable through PHP code injection via the _anciennes_valeurs form parameter. Highlights that user input is directly interpolated into a PHP template rendered with interdire_scripts=false, enabling server-side execution of injected <#PHP> tags, with AI assistance in the discovery.

Supabase API Key Leaks Lead to Database Compromise - labs.cognisys.group

Highlights a disturbing trend of mass Supabase API key disclosures that culminated in late 2025 and early 2026. Explains how a publicly exposed "anonymous" key, often dismissed as harmless by developers, served as the initial vector for a total compromise of a client's customer database during a black box penetration test.

Identity Surveillance by OpenAI, Persona, and US Gov - vmfunc.re

Uncovers an alleged identity surveillance system involving OpenAI, the US government, and Persona, hinting at a potential undisclosed collaboration. Cites openai-watchlistdb.withpersona.com having 27 months of certificate transparency history as evidence of a long-standing data collection operation.

🐦 SecX #

AI-Generated Code Leads to Smart Contract Exploit - x.com

Reports a significant smart contract exploit resulting in a $1.78 million loss, caused by an incorrect asset price setting ($1.12 instead of ~$2,200). Notably, the vulnerable Solidity code was co-authored by Claude Opus 4.6, underscoring the emerging risks of AI-generated code in critical applications.

Blueboxing: A Historical Hacking Sport - x.com

Recounts "blueboxing," a historical hacking technique that required significant skill and dedication to bypass telecommunications frequency filters. Draws parallels between finding a "break" in blueboxing and discovering a "0day" vulnerability in modern cybersecurity, highlighting the continuous need for persistence in circumventing security controls.

Anthropic Blog Post Impacts Cybersecurity Stocks - xcancel.com

Notes a rapid and substantial financial impact on major cybersecurity companies, with CrowdStrike, Cloudflare, and Okta collectively losing $10 billion in market capitalization. This significant market reaction occurred within an hour of Anthropic publishing a new blog post, indicating the acute sensitivity of the industry to AI-related developments.

FBI Arrests Engineers for Trade Secret Theft - x.com

Reports the arrest of three Silicon Valley engineers charged with conspiring to commit trade secret theft from Google and other leading technology companies. Emphasizes the ongoing efforts by law enforcement to address intellectual property theft and obstruction of justice within the tech industry.

🎥 SecVideo #

HackTheBox AI Machine Walkthrough - youtube.com

Provides a detailed walkthrough of exploiting a PHP-based web application on HackTheBox, beginning with reconnaissance using GoBuster to identify hidden files. Focuses on common initial attack vectors such as discovering accessible PHP files and leveraging file upload functionalities for further compromise.

Understanding LLM Skills and Risks - youtube.com

Explores the concept of Large Language Model (LLM) skills, highlighting the inherent challenges in precisely extracting intent from text-based definitions. Discusses the security risks associated with delegating understanding to LLMs and proposes best practices for their secure development and deployment.

💻 SecGit #

Indico Vulnerable to Server-Side Request Forgery - github.com

Details multiple Server-Side Request Forgery (SSRF) vulnerabilities in Indico, stemming from its functionality to make outgoing requests to user-provided URLs. Warns that despite this being partially intentional, it can be abused to access "special" internal targets such as localhost or cloud metadata endpoints.

← Back to Seclog