Critical Thinking - Bug Bounty Podcast

Episode 161: Cross-Consumer Attacks & DTMF Tone Exfil

Episode 161: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gives us some quick hits regarding CSRF and Cross Consumer Attacks, and also touches on some breaking questions surrounding HackerOne Follow us on twitter at: https://x.com/ctbbpodcast [https://x.com/ctbbpodcast] Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io [info@criticalthinkingpodcast.io] Shoutout to YTCracker [https://twitter.com/realytcracker] for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater [https://x.com/Rhynorater] https://x.com/rez0__ [https://x.com/rez0__] https://x.com/gr3pme [https://x.com/gr3pme] Critical Research Lab: https://lab.ctbb.show/ [https://lab.ctbb.show/]  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord [https://ctbb.show/discord]! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch [https://ctbb.show/merch]! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ [https://ztw.com/] ====== This Week in Bug Bounty ====== AS Watson https://app.intigriti.com/programs/aswatson/watsons/detail [https://app.intigriti.com/programs/aswatson/watsons/detail] YesWeHack 2026 Report https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026 [https://choose.yeswehack.com/bug-bounty-report-2026-trends-and-key-insights-yeswehack?utm_source=youtube&utm_medium=sponsor-critical-thinking&utm_campaign=yeswehack-report-2026]  ====== Resources ====== PhoneLeak: Data Exfiltration in Gemini via Phone Call https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/ [https://blog.starstrike.ai/posts/phoneleak-data-exfiltration-in-gemini-via-phone-call/] Max's Tweet about decreasing bounties https://x.com/0xw2w/status/2020788164378427483 [https://x.com/0xw2w/status/2020788164378427483] HackerOne General Terms and Conditions https://www.hackerone.com/terms/general [https://www.hackerone.com/terms/general] Research Review #-2: RCE in Google's AI code editor Antigravity (sudi) https://www.youtube.com/watch?v=JqvJSF2UMyY [https://www.youtube.com/watch?v=JqvJSF2UMyY] ====== Timestamps ====== (00:00:00) Introduction (00:03:26) YesWeHack 2026 Report (00:09:12) CSRF Realizations & Data Exfiltration in Gemini via Phone Call (00:14:38) 7urb0's Youtube, HackerOne decreasing bounties and Section    3.1 controversy. (00:19:06) Cross Consumer Attacks

Episode 160: Cloudflare Zero-days & Mail Unsubscribing for XSS

Episode 160: In this episode of Critical Thinking - Bug Bounty Podcast Joseph and Brandyn. Chat through some news, Including a Cloudflare Zero-day, Turning List-Unsubscribe into an SSRF/XSS Gadget, & Magic String Denial of Service in Claude. Follow us on twitter at: https://x.com/ctbbpodcast [https://x.com/ctbbpodcast] Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io [info@criticalthinkingpodcast.io] Shoutout to YTCracker [https://twitter.com/realytcracker] for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater [https://x.com/Rhynorater] https://x.com/rez0__ [https://x.com/rez0__] https://x.com/gr3pme [https://x.com/gr3pme] Critical Research Lab: https://lab.ctbb.show/ [https://lab.ctbb.show/]  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord [https://ctbb.show/discord]! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch [https://ctbb.show/merch]! Today’s Sponsor: Adobe. Use code CTBB040126, and get a 10% bonus on your bounty for any AI vulnerability which is mapped to the OWASP LLM top 10. Valid on Adobe Acrobat Web - AI Assistant / PDF Spaces / Content Creation and presentation features using Express Adobe Express AI Assistant.  Valid through April 1st, 2026 Also we have a Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! ====== Resources ====== Cloudflare Zero-day https://fearsoff.org/research/cloudflare-acme Turning List-Unsubscribe into an SSRF/XSS Gadget https://security.lauritz-holtmann.de/post/xss-ssrf-list-unsubscribe/ Breaking Multi-Tenant Isolation in Heroku Postgres https://allistair.sh/blog/breaking-heroku-postgres/ Parse and Parse: MIME Validation Bypass to XSS via Parser Differential https://lab.ctbb.show/research/parse-and-parse-mime-validation-bypass-to-xss-via-parser-differential Claude Magic String Denial of Service https://x.com/Frichette_n/status/2013988503336415522 From WebView to Remote Code Injection https://djini.ai/from-webview-to-remote-code-injection/ DOM XSS Is Not Dead: The Rise of Polyglot Payloads https://blogs.jsmon.sh/dom-xss-is-not-dead-the-rise-of-polyglot-payloads/ ====== Timestamps ====== (00:00:00) Introduction (00:06:17) Cloudflare Zero-day & Turning List-Unsubscribe into an SSRF/XSS Gadget (00:16:57) Breaking Multi-Tenant Isolation in Heroku Postgres & CTBB Research (00:25:46) Claude Magic String Denial of Service & From WebView to Remote Code Injection

Episode 159: Avoiding Downgrades on Google Cloud VRP with Cote and Darby Hopkins

Episode 159: In this episode of Critical Thinking - Bug Bounty Podcast we sit down with the Google Cloud VRP Team to deep-dive policy and reward changes, what the panel process looks like, and how to best configure for success. Follow us on X [https://x.com/ctbbpodcast] Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io [info@criticalthinkingpodcast.io] Shoutout to YTCracker [https://twitter.com/realytcracker] for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater [https://x.com/Rhynorater], rez0 [https://x.com/rez0__] and gr3pme [https://x.com/gr3pme] on X: ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord [https://ctbb.show/discord] We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. Get some hacker swag [https://ctbb.show/merch] Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ [https://ztw.com/] Google Cloud VRP Swag Bonus! Mention the podcast in any rewarded (cash or credit) VRP report submission before the end of April to receive bonus swag! Today’s Guests: Darby Hopkins [https://www.linkedin.com/in/darbyhopkins/] Michael Cote [https://www.linkedin.com/in/michaelpatrickcote/] ====== This Week in Bug Bounty ====== AI Red Teaming Explained by AI Red Teamers [https://www.hackerone.com/blog/ai-red-teaming-explained-by-red-teamers] Good Faith AI Research Safe Harbor [https://www.hackerone.com/press-release/hackerone-sets-standard-ai-era-testing-good-faith-ai-research-safe-harbor] Join the Adobe LHE at NULLCON GOA [https://nullcon.net/goa-2026] ====== Resources ====== ‘Legendary Guy’ - Jakub Domeracki [https://x.com/GoogleVRP/status/2013660670076555418] Google Cloud VRP rewards rules [https://bughunters.google.com/about/rules/google-friends/cloud-vulnerability-reward-program-rules#reward-amounts] Google Cloud VRP product tiers [https://github.com/google/bughunters/blob/main/cloud-tiers/cloud-tiers.text] Bug Hunters blog on the 2025 Google Cloud VRP bugSWAT [https://bughunters.google.com/blog/hardening-google-cloud-insights-from-the-latest-cloud-vrp-bugswat] Google VRP Discord [https://discord.com/invite/bzA9gc6Z] Google VRP on X [https://x.com/GoogleVRP] ====== Timestamps ====== (00:00:00) Introduction (00:10:03) CloudVRP Bugswat Event Breakdown (00:16:40) VRP Policy & Rewards Changes (00:04:50) Panel Process (01:00:08) Configuring for Success & Avoiding Downgrades (01:33:47) Scenarios for Success

Episode 158: 10hr Marathon Hack-Along Recap + $300k Client-side Bugs

Episode 158: In this episode of Critical Thinking - Bug Bounty Podcast we talk about our personal takeaways from the CTBB Charity Hackalong, and then break down some InsertScript POCs, what a $55,000 bug can look like, and if Smart People Ever Say They’re Smart. Follow us on twitter at: https://x.com/ctbbpodcast [https://x.com/ctbbpodcast] Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io [info@criticalthinkingpodcast.io] Shoutout to YTCracker [https://twitter.com/realytcracker] for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X:  https://x.com/Rhynorater [https://x.com/Rhynorater] https://x.com/rez0__ [https://x.com/rez0__] https://x.com/gr3pme [https://x.com/gr3pme] Critical Research Lab: https://lab.ctbb.show/ [https://lab.ctbb.show/]  ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord [https://ctbb.show/discord]! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch [https://ctbb.show/merch]! Today's Sponsor: Join Justin at Zero Trust World in March and get $200 off registration with Code ZTWCTBB26 https://ztw.com/ ====== Resources ====== InsertScript - XSS Challenge Solution https://insert-script.blogspot.com/2020/03/xss-challenge-solution-refresh-header.html InsertScript - Redirect AuthHeader https://www.insert-script.com/examples/redirectAuthHeader/send.html CRLF injection on a 302 redirect https://x.com/0xdef1ant/status/2009040359482118500 Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover https://ysamm.com/uncategorized/2025/01/13/capig-xss.html Arcanum Hack Tips https://github.com/Arcanum-Sec/hack_tips Trail of Bits Releases Claude Skills https://x.com/dguido/status/2011541318229533063 what a $55,000 bug can look like https://x.com/the_IDORminator/status/2007480636244697237 Pwning Claude Code in 8 Different Ways https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/ Do Smart People Ever Say They’re Smart? https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/ ====== Timestamps ====== (00:00:00) Introduction (00:04:18) Technical takeaways from CT Charity Hackalong (00:22:21) InsertScript POCs & Rez0 and teknogeek's IOT Adventures (00:32:16) CRLF injection on a 302 redirect & Multiple XSS in Meta (00:41:00) Trail of Bits, what a $55,000 bug can look like, & Pwning Claude Code (00:54:16) Do Smart People Ever Say They’re Smart?

Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits

Episode 157: In this episode of Critical Thinking - Bug Bounty Podcast we’re joined by Hypr to talk about hacking Mediatek and his experiences with HackerOne and Pwn2Own Ecosystems. Follow us on twitter at: https://x.com/ctbbpodcast [https://x.com/ctbbpodcast] Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io [info@criticalthinkingpodcast.io] Shoutout to YTCracker [https://twitter.com/realytcracker] for the awesome intro music! ====== Links ====== Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynorater [https://x.com/Rhynorater] https://x.com/rez0__ [https://x.com/rez0__] https://x.com/gr3pme [https://x.com/gr3pme] Critical Research Lab: https://lab.ctbb.show/ [https://lab.ctbb.show/] ====== Ways to Support CTBBPodcast ====== Hop on the CTBB Discord at https://ctbb.show/discord [https://ctbb.show/discord]! We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc. You can also find some hacker swag at https://ctbb.show/merch [https://ctbb.show/merch]! Today’s Guest: https://x.com/hyprdude [https://x.com/hyprdude] ====== This Week in Bug Bounty ====== Top 10 web hacking techniques of 2025: call for nominations https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open [https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open] CVE-2025-13467 https://access.redhat.com/security/cve/cve-2025-13467 [https://access.redhat.com/security/cve/cve-2025-13467] ====== Resources ====== Hypr's Blog https://blog.coffinsec.com [https://blog.coffinsec.com] mediatek? more like media-rekt, amirite. https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html [https://blog.coffinsec.com/0days/2025/12/15/more-like-mediarekt-amirite.html] kernel-utils https://github.com/mellow-hype/kernel-utils [https://github.com/mellow-hype/kernel-utils] ====== Timestamps ====== (00:00:00) Introduction (00:03:23) Heap Overflow in Mediatek Kernel Drivers (00:19:23) Kernel Debugging & ioctl Handlers (00:43:30) Input Structs, Sync to Source, & Privilege Escalation (00:51:30) HackerOne Ecosystem vs Pwn2Own Ecosystem (01:17:00) Kernel Utils (01:26:46) Real World Bugs for Exploit Development vs CTFs