We begin our latest security research roundup (also published as a newsletter) with Jorian Woltjer’s bid to “make the ultimate double-clickjacking proof of concept”. Building on Paulos Yibelo’s recent research that pioneered the concept, the researcher was enamoured of the hacking technique in part because he liked “using small browser features in creative combinations to make convincing ways of breaking security boundaries”, according to a blog post documenting his adventures exploring this terrain. The PoC that emerged leverages a fake Cloudflare Captcha and iconic video game Flappy Bird. 🐤
Thomas Stacey of Assured Security Consultants meanwhile has detailed some overlooked HTTP request tunnelling attacks that affect popular servers like IIS, Azure Front Door and AWS Application Load Balancer. He also promises an “innovative detection approach combining the single-packet attack method with established HTTP desync techniques”. His conclusion: “request tunnelling is still underrated”. 💡
Well done also to the researchers who managed to spoof signatures in OpenPGP.js, the open source JavaScript implementation of the OpenPGP standard for message encryption and signing, by passing a maliciously modified message to openpgp.verify or openpgp.decrypt. 🔑 In a writeup, Edoardo Geraci and Thomas Rinsma from Codean Labs said the critical vulnerability “means an attacker can use any previous valid signature made by a victim, and ‘replace’ the signed data with anything while the signature remains valid”. They also explained why “for messages that are signed and encrypted, the situation is even worse.” The flaw was remediated via the OpenPGP.js Bug Bounty Program on YesWeHack, so we published our own analysis of the vulnerability along with related open source bug-hunting opportunities. 🐞
Before we move onto our latest bug-hunting guides, Dojo news and leaderboard update, here’s a final roundup of interesting security research we’ve spotted over the course of the past month:
🔬 Eclipse on Next.js: Conditioned exploitation of an intended race-condition – writeup by Allam Rachid (zhero)
🔬 How to pull off a near undetectable DDoS attack (and how to stop it) – BSidesSF presentation from Simon Wijckmans
🔬 Security issues found in pre-installed apps on Android smartphones – writeup by ‘Mobile Hacker’
🔬 Poison everywhere: No output from your MCP server is safe – writeup by Simcha Kosman of CyberArk Labs
🔬 O2 VoLTE: locating any customer with a phone call – writeup by Dan Williams
Simple yet effective recon
Are you a hacking novice? Google dorking is an uncomplicated, passive way to uncover misconfigured subdomains and exposed credentials within minutes. Our latest Bug Bounty recon guide is a beginner-friendly explainer for harnessing the power of Google's search function. 🔎
Potentially exposing passwords and secret tokens, source code or internal endpoints, path traversal or arbitrary file read vulnerabilities can achieve significant impacts and Bug Bounty rewards. Should your knowledge of these flaws be less than comprehensive, you may therefore be interested then to learn some practical path traversal or arbitrary file read attacks.📚
Ruby treasure CTF
You can read the best writeup for our first-ever Ruby-based Dojo challenge (Ruby has only recently been added to Dojo). 💎 Well done to khimluck4, P0pR0cK5 and duplicatesucks for the three best solutions submitted for ‘Ruby Treasure’. In the latest edition of Talkie Pwnii, the eponymous Pwnii discusses the solution to this challenge, whereby regex validation issue in Ruby – exploited via IO.read's ability to spawn subprocesses with specially crafted input – can lead to remote code execution (RCE). Our current monthly challenge is Hex Color Palette. Submit your solution by 4 July if you wish to be in contention for being among the three best writeups and thus winning exclusive swag. 🎁
Q2 rankings update
Italian hacker drak3hft7 has been proverbially ‘on fire’ in recent months and has further burnished his credentials by climbing into the top three on YesWeHack’s Q2 rankings for 2025.🔥As well as persistence and other attributes, the hunter leverages the power of collaboration and chaining bugs to achieve his burgeoning success on our leaderboards, as a recent LinkedIn post explains. Fellow Italian Al7eX also climbed into the top 10.👏
🤘Meet the YesWeHack team🤘
We’re fast approaching one of our biggest events of the year. Taking place in Paris between 27-29 June, LeHACK sees us, as usual, host a live Bug Bounty event with a mystery target unveiled on-site. The marathon live hacking event will run from 10am on 28 June in ‘Le Loft’ and run until the early hours of the following morning. You can also find our team on booth 41 to talk Bug Bounty and of course add to your haul of merch. Finally, prizes will be up for grabs in relation to the successful completion of a CTF challenge crafted by our Tech Ambassador, BitK.🏆
That’s it for this month. Happy bug-hunting!👋
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.