Sam Curry
@samwcyo
Followers
88K
Following
8K
Media
172
Statuses
3K
Hacker, bug bounty hunter. Run a blog to better explain web application security.
Omaha, NE
Joined January 2017
More car hacking!. Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car. Here's how we found it, and how it works:
210
4K
13K
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. To explain how it worked and how we found it, we have @_specters_ as our mock car thief:
76
1K
5K
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.
97
996
4K
New writeup from @_specters_ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate. Full disclosure:.
92
1K
4K
New writeup:. "We Hacked Apple for 3 Months: Here’s What We Found". Featuring. @bbuerhaus, @NahamSec, @erbbysam, and @_StaticFlow_ .
65
1K
3K
Super excited to release our car hacking research discussing vulnerabilities affecting hundreds of millions of vehicles, dozens of different car companies:. Contributors:.@_specters_ @bbuerhaus @xEHLE_ @iangcarroll, @sshell_ @infosec_au @NahamSec @rez0__.
64
754
2K
"Hacking Starbucks and Accessing Nearly 100 Million Customer Records" - write up on a recent directory traversal vulnerability found with @Rhynorater ☕️.
42
530
1K
From an Uber employee:. Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”.
22
222
1K
This tweet reminded me of a time when I was hacking on Apple's bug bounty program. I found, of all things, a base64 encoded Harry Potter quote on an internal iCloud account debug and administration page. This is the first time I'm sharing this, as more than 90 days have passed
26
243
1K
Between July 7th to July 17th, 2022, we formed a small team of hackers and collectively hunted for vulnerabilities on John Deere’s security program. During our 10 day engagement, we found 100 unique vulnerabilities with 50 rated critical, 32 high, 14 medium, and 4 low severity.
35
192
1K
New writeup, one of my favorite bugs 🤠 -. Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty. Featuring. @d0nutptr @0xacb @Regala_ @JLLiS @Yassineaboukir @plmaltais
26
484
1K
Thank you for reading, huge shout out to all of these amazing people for helping with this research:.@_specters_ @bbuerhaus @d0nutptr @xEHLE_ @iangcarroll @sshell_ @infosec_au!. We hope to publish more security findings over our few months spent researching this topic soon.
42
39
1K
New writeup:. "Hacking Millions of Modems (and Investigating Who Hacked My Modem)". Thanks for reading! Huge thanks to @blastbots, @bbuerhaus, @infosec_au, @d0nutptr, @iangcarroll, and everyone who reviewed the post beforehand.
48
395
1K
From another Uber employee:. Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. lmao.
20
126
1K
At this point, we identified that it was also possible to access customer information and run vehicle commands on Honda, Infiniti, and Acura vehicles in addition to Nissan. We reported the issue to SiriusXM who fixed it immediately and validated their patch.
9
65
1K
Since it's 2021 I'd like to go ahead and disclose some bugs I wasn't able to talk about in 2020. These were issues that either got NDA'd or had long remediation timelines. The following are quick summaries and proof of concepts for some of the simpler bugs:.
11
294
917
New blog post with @infosec_au:. We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here:
47
299
965
Within the article I'd mentioned that Apple had not yet paid for all of the vulnerabilities. Right after publishing it, they went ahead and paid for 28 more of the issues making the running total $288,500:
29
95
790
Slides for "Attacking Secondary Contexts in Web Applications" -
13
359
789
Interesting XSS I ran into today,. Input where param=value is reflected in a JSON body within a script tag. If you send param=</script>, the application sanitizes the input. This can be bypassed with param["</script>"]=whatever.
12
268
772
I think my router or ISP has been hacked, but it's the strangest thing of all time: every time I send an HTTP request to an IP address, a follow up HTTP request is sent to the exact same URL by a Digital Ocean box. I've confirmed that. .
47
84
762
We continued to escalate this and found the HTTP request to run vehicle commands. This also worked!. We could execute commands on vehicles and fetch user information from the accounts by only knowing the victim's VIN number, something that was on the windshield.
6
71
742
New write up - "Cracking my windshield and earning $10,000 on the Tesla bug bounty program" 🤠.
15
262
716
The attacker is claiming to have completely compromised Uber showing screenshots where they’re full admin on AWS and GCP.
10
71
661
After finding individual vulnerabilities affecting different car companies, we became interested in finding out who exactly was providing the auto manufacturers telematic services. We thought it was likely there was a company who provided multiple automakers telematic solutions.
8
65
660
Found a really interesting reverse proxy vulnerability where the frontend authorization check parsed/validated the integer from the string (123/\?& == 123) then passed the whole argument to the internal API. You could access other people's data via id=YOUR_ID/. /VICTIM_ID, and.
11
174
695
While exploring this avenue, we kept seeing SiriusXM referenced in source code and documentation relating to vehicle telematics. This was super interesting to us, because we didn't know SiriusXM offered any remote vehicle management functionality, but it turns out, they do!
2
65
660
New write up - "Reading ASP secrets for $17,000" - the really fun process of exploiting local file disclosure 🧐.
21
327
676
We took the authorization bearer and used it in an HTTP request to fetch the user profile. It worked!. The response contained the victim's name, phone number, address, and car details. At this point, we made a simple python script to fetch the customer details of any VIN number.
8
49
648
We found the SiriusXM Connected Vehicle website and noticed the following quote:. "[SiriusXM] is a leading provider of connected vehicles services to Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota.". So many brands under one roof!
6
41
634
New writeup:. Between March, 2023 and May, 2023 we found multiple critical vulnerabilities in points[.]com the global provider for major airline and hotel rewards programs. Full post is available here:. Work from:.@infosec_au @iangcarroll.
24
258
664
There was one HTTP request in particular that was interesting: the "exchangeToken" endpoint would return an authorization bearer dependent on the provided "customerId". While fuzzing, we removed the "vin" parameter and it still worked. It seemed to only care about "customerId".
3
36
630
1. IDOR on Apple via "X-Dsid" header allows attacker to retrieve name, credit card information, addresses, and various PII of any Apple users via DSID.Bounty: $25,000. Could create a "god cookie" which had access to all Apple customers name, address, phone, and billing info.
11
150
622
Had some recent success using untranslatable Unicode in place of a "?" when attacking URL parsers for SSRF/OAuth issues. What worked was. \udfff -> � -> ?. Therefore. {"redirectUri":" https://attacker\udfff@[victim]/"}. Equals. Location: https://attacker?@[victim]/
5
209
626
New write up -. "Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts".
10
215
611
New blog post detailing some findings from auditing the Next.js ecosystem:. "Exploiting Web3's Hidden Attack Surface: Universal XSS on Netlify's Next.js Library". Huge thanks to @infosec_au and @bbuerhaus for helping explore this!.
12
185
534
At this point, we kicked off scans and scoured the internet trying to find as many domains we could owned by SiriusXM, and additionally reverse engineered all of the mobile apps of SiriusXM customers to see how the remote management actually worked.
2
30
550
It returned "200 OK" and returned a bearer token! This was exciting, we were generating some token and it was indexing the arbitrary VIN as the identifier. To make sure this wasn't related to our session JWT, we completely dropped the Authorization parameter and it still worked!
3
33
557
After a really long time only focused on manual web security stuff, almost everything has started to feel like a QA checklist. There are definitely people doing novel research and dropping crazy bugs, but I think a lot of the big stepping stones require people to build really.
27
48
571
New blog post on hacking EPP servers:. How we could've taken over the .ai, .bj, .bw, .ci, .gl, .ke, .kn, .lb, .ly, .mr, .ms, .mz, .ng, .pyc, .rw, .so, .ss, .td, and .zm TLDs. Work from @rhyselsmore, @bbuerhaus, @infosec_au, and myself.
16
174
562
Found some fun vulnerabilities on Instapage and HubSpot with @bbuerhaus, @sshell_, and @xEHLE_. Here's a thread with a couple mini writeups for them:. There are a few routes on the Hubspot CMS which are actually reverse proxies to Hubspot's CDN, you can see the "hs-fs" one below:
18
201
561
Super interesting: looks like scammers found a subdomain takeover on " and are using it to host an NFT scam.
28
121
544
During this process, we found the domain " and began investigating. From what we found, it appeared to handle services for enrolling vehicles in the SiriusXM remote management functionality.
1
29
505
After pivoting to this domain in particular, we found a large number of references to it in the NissanConnect app and decided to dig as deep as we could. We reached out to someone who owned a Nissan, signed into their account, then began inspecting the HTTP traffic.
4
22
465
Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account.
3
37
463
Just some personal thoughts on why you shouldn't force yourself to become a bug bounty hunter -.
22
107
457
Super stoked to be giving a DEF CON talk about vulnerabilities in ISP infrastructure! This was originally a blog post, but the talk will include a lot more context and vulnerabilities affecting wider ISP ecosystem (see: 🫡
13
59
456
Hours later, in one of the HTTP responses we saw the following format of a VIN number:. vin:5FNRL6H82NB044273. This vin format looked eerily similar to the "nissancust" prefix from the earlier HTTP request. What if we tried sending the VIN prefixed ID as the customerId?.
3
28
427
The format of the "customerId" parameter was interesting as there was a "nissancust" prefix to the identifier along with the "Cv-Tsp" header which specified "NISSAN_17MY". When we changed either of these inputs, this request failed.
2
20
409
Trying to be cheeky, we went for an obvious IDOR and changed it the "customerId" parameter to another users customer ID. This failed and gave us an authorization error. Not entirely satisfied, we left this endpoint to rest and began looking at other endpoints.
2
23
407
Slides for my talk from NahamCon - "Owning Online Games with Only Web Hacking Experience" -
6
122
416
Client side path traversal is a really fun thing to explore for CSRF and XSS. Revisited an unexploitable blind SSRF which (1) required the authorization header to be sent and (2) passed the authorization header to the provided "url" parameter. This would be account takeover . .
10
90
412
I'm super impressed by the young hackers who are only 17 or 18 years old and participating at the live hacking events. The barrier to entry for finding vulnerabilities has really gone up in the last few years for these larger companies and they manage to do such amazing work.
11
17
394
Here is the initial release of the PoC for CVE-2021-27651:. There were a few large organizations affected by this including the NSA, FBI, Unilever, Apple, American Express, and Wells Fargo. Probably somewhere around ~3,000 different customers.
Users of the Pega Infinity enterprise software platform are urged to update against a critical vulnerability (cc @samwcyo).
8
142
389
Ran into a neat authentication bypass via extension whitelist today with @bbuerhaus and @_specters_:. GET /admin%2ejsp%3b.png. Was able to turn a number of post-auth SQL injections into pre-auth vulns. Always fun messing with these. 😁.
3
94
387
After putting everything together, we reported the issue to Hyundai and worked with them to confirm the fix. Thanks for reading! This thread is a small part of a few months of web security research in the auto industry. We're hoping to disclose more related issues in the future.
8
8
364
Have just sent a blog post to a security team to review for publication and am super excited about it. The draft PDF is 53 pages long and is the result of 3 months of work alongside @bbuerhaus, @NahamSec, @erbbysam, and @_StaticFlow_. Hoping to publish it by the end of the week!.
15
31
362
Pretty fun bug: app had a staging/production environment. They both shared the same secrets for managing JWTs. User information was indexed via user ID. If you sent the alternate services JWT, it'd log you in as whatever the indexed user ID was on the other version of the app.
10
53
352
You decode a JWT, only for there to be another JWT inside. You decode that JWT. another JWT. It doesn't stop. Always another JWT. You wake up. Cold sweats.
11
32
354
We played around with this for a while, until we tried something that worked:. By adding a CRLF character at the end of an already existing victim email address during registration, we could create an account which bypassed the JWT and email parameter comparison check!
5
39
336
TIL the HTTP response "Content-type: image/png, text/html" will render the "text/html" even if the content type is actually "image/png". Need to actually sit down and read the RFC at some point 😅
12
67
338
Been working on some neat stuff which we can hopefully release soon:. - Found >50 critical bugs on a large target as a small team, wrote a long blog post for it (pending approval).- Collaborated with @infosec_au on an 0day (pending approval). Wish I could share them both now! 😄.
9
11
330
I was joking about adding a blind XSS payload to my Google Nest, but then it actually fired on their admin panel and I got rewarded through their VDP. 🥲. Huge thanks to the amazing @IAmMandatory for maintaining @XssHunter for free.
7
40
323
New write up! 😀."The $12,000 Intersection between Clickjacking, XSS, and Denial of Service".
8
149
321
Haven't done much bug bounty in the last few months but finally had the chance to look today and found a vulnerability today which allowed me to control a companies telepresence robots. WASD to navigate, could speak to the employees and see what they're up to via my desktop mic!
18
14
301
Cryptocurrency web apps are all mostly ran on the same 3 or 4 different hosting platforms. Over the last few months, we've been able to find vulnerabilities where we can write/modify content on nearly all of them. Excited to talk about this (and more) at @_kernelcon_ soon!.
8
29
285
Happy to have participated in the inaugural election security research forum at MITRE where we spent time auditing US voting systems. Thanks to @CISAgov, @Hacker0x01, @Bugcrowd, @jackhcable, and everyone who helped put the event together.
7
11
280
Picked up @0xteknogeek, @sshell_, and @ret2jazzy from the airport and they immediately found a Tesla vulnerability playing around with the screen in the back seat.
10
19
278
Will be giving a talk about hacking online games with only web security experience on Saturday, June 13th. This talk will discuss the parallels between web hacking and game hacking, then explore some neat vulnerabilities affecting MMOs and popular Steam games. More info below -.
We are ONE week away from #NahamCon2020: A virtual hacking conference with talks/workshops by @jeff_foley, @Jhaddix, @securinti, @snyff, @BitK_, @samwcyo and more! Check out the entire schedule on We are also hosting a CTF! Come play and win some cash!
11
44
269
If you're interested in learning more about DeFi hacks, @OriginProtocol has a well maintained repository of post-mortem writeups detailing a bunch of neat real world exploits here:
5
50
256
@spikeroche With the account takeover, you could access everything on the user’s SiriusXM account where you could enroll/unenroll from the service, but if I remember correctly the API calls for telematic services would work regardless of whether there was an active subscription.
3
10
251
If you enjoyed "Attacking Secondary Contexts in Web Applications" ( feel free to vote for it here!. There's an amazing amount of fantastic research here and if you haven't already I'd absolutely suggest dedicating a night just to read through all of these.
It's time to cast your vote for the Top 10 Web Hacking Techniques of 2020! Grab a brew, peruse our hefty nomination list, and select up to ten new techniques and ideas you think will have a lasting impact.
8
46
237
Wish I didn’t have to wait for the company running 90% of crypto websites to get hacked before they start offering actual bounties. Thanks for the hoodie and water bottle for my account takeover report. Tired of the antics from companies worth billions of dollars, sorry for rant.
11
16
220
Nearly forgot: huge thanks to @netspooky for making the amazing ASCII art in the python script 💕.
7
4
218
Huge thanks to @davidbombal for covering the past car hacking research from @_specters_ @bbuerhaus @xEHLE_ @iangcarroll @sshell_ @infosec_au and I. David and his team put in a ton of effort to research this and asked some great questions. More than happy to share the fun stories.
Hackers remotely hack cars! Ferrari, Tesla, Porsche, BMW, Ford, Kia and so many more 😱. YouTube video: #car #cars #ferrari #tesla #porsche #bmw #ford #kia #mercedes #hyundai #hack #hacker #hacking #cybersecurity #infosec @samwcyo
6
33
228
2. Reflected XSS/CSRF token bypass on SecureTransport 5.4 via URL parameters.Bounty: $7,000 and a comfy backpack from Axway :). Could traverse to a "CSRF debug page" which would auto-submit a request with an appended CSRF token. Also vulnerable to (limited) XSS.
4
35
216
Spotify, Discord, Nest, and a bunch of stuff is down. The interesting thing is that Nest and Spotify are returning Google 404 errors.
21
40
204
Over the last few months, myself and a few friends have been building a small security consultancy called @PalisadeLLC. The company is specifically focused on securing web apps that leverage all things crypto (custodial wallets, payment processors, NFT marketplaces, etc.).
18
17
214
Has anyone ever had luck overwriting parameters when talking to an internal API? Example. POST /external.{"a":"a&b='#","b":"1"}. turns into . GET /internalAPI?a=a&b='#&b=. I've been able to bypass a lot of filters using this, but no bugs yet.
6
47
205
It's frustrating, we reported a SQL injection vulnerability to the Vulcan Forged bug bounty program 6 months ago that let you pull master private keys and plaintext passwords. This vulnerability had a similar level of impact, but was rewarded with $2,000. (1/5).
Four cases in ten days. $140M gone from @VulcanForged. "Compromised keys" are so hot right now. But it’s nothing to do with the markets, right?. rekt investigates.
5
36
202
Giving a talk at #NahamCon2022 about 15 different vulnerabilities we found while hacking crypto websites and some of our observations while working on crypto security. Huge thanks to @NahamSec and team for putting together this conference for another year!
3
22
200
Finally got an award at a HackerOne event! Found the most critical security vulnerability for the Verizon Media day. I was beyond excited to receive this. It means so much to me. Here's to next year! 😁😁😁
6
6
201
Someone hacked my Spotify and was upset I kept changing the songs. They were very forward about how they felt about the whole thing 😄❤️
11
9
178
Happy to be taking home the award for most critical finding during the H1-415 event 😁 — it honestly wasn’t the most exciting bug, but I ended up being able to pour time into an interesting URL whitelist bypass. Will do a blog post on it soon. Not sure if it has been covered yet.
4
2
176
Have been playing around with a blind XSS that fired on the default installed iOS settings app. Always weird seeing web stuff where you're not expecting it. 😬
5
8
173
Thanks for reading and a massive thank you to those who let me collaborate with them in 2020. On the topic of disclosing bounty amounts: I feel there's a net benefit to have these published. These issues were found very sporadically with an exceptional amount of luck. Cheers!.
6
4
172
Thank you all for the kind words on Twitch!. Here are the slides for "Just Give me a Trial, Please" which we plan to update in the future: Originally, we intended on disclosing a pre-auth RCE PoC but haven't hit a required 90-day timeline.
2
29
170
Awesome work from @artsploit going over some of the really neat and novel approaches to hacking OAuth. Will be an awesome reference moving forward.
1
63
161