You might be wondering why the number is so shocking right, like sixty-four bugs? And it’s from a large platform like SocialHub?
A company worth trillion and was run by thousands of developers? Because it makes sense since its worth trillions.
Don’t assu that companies are airtight, since the scale doesn’t make it bulletproof but a bigger target.
Due to his godly programming skill and his knowledge of how these systems were built, while others worked through enough source code and decompiled enough applications to understand.
He was given the ability by the system to understand one thing clearly and that is unvalidated redirects were everywhere.
They weren’t complicated bugs. In fact, they were ridiculously simple.
This happens because developers often forget to validate redirect paraters, which is a common oversight.
This issue is especially prevalent in login pages, password resets, confirmation emails, ads and anything that needs to send a user sowhere else.
These kinds of flaws weren’t usually dangerous on their own, since they didn’t grant server access or expose databases.
That’s why their severity was considered low, and companies like SocialHub didn’t treat them as high priority.
However, they still mattered, especially on platforms built on trust, because a redirect link from socialhub, appears legitimate to most users.
If soone disguises a phishing link using that, then it’s ga over. That’s why even if one endpoint is fixed, it doesn’t an the other hundred like it are.
And that’s the thing about massive platforms like SocialHub. With billions of users and hundreds of services, it was easy for the sa bug to exist in ten different places, even if the security team had patched it once before.
Most elite programrs can scan a few hundred endpoints in a day, but Jeff had scanned over 1,700 in an hour.
While elite programrs take 30 minutes to scrape URLs, for his AI it does it in 2. Also, elite programr test one redirect in 30 seconds, but he does it in 1 seconds.
Validating with curl? 10 seconds for Jeff, and it is 1 or 5 minute for them. Logging, reporting, and formatting were all automated and instant on his side.
The difference you may ask?
Is that elite programrs write great tools like scanners, validators, maybe even automation scripts.
Also, their experience of dealing with sa problem over and over again was a big help as well.
They work efficiently, but each step still depends on them. While Jeff on the other hand, builds full systems.
His tools don’t just follow commands they can think, filter, and act on their own.
Example of this is RAZi that scrapes thousands of URLs in minutes, GhostCheck scans and validates each one in seconds, and the report writer docunts everything instantly with no manual input.
While elite programrs are still writing scripts or waiting for results, he is already done. With every log reviewed, every flaw docunted, and every report packaged.
Work: Reflected XSS Probe
Note: Reflected XSS vulnerabilities typically occur in search boxes, error pages, and query paraters where user input is imdiately reflected in the page without proper encoding or sanitization.
Focus your testing on endpoints that dynamically insert query data into the DOM or template without storage.
...
So after choosing this he then began to work, after compiling a custom tool called mirrorcheck, Jeff launched a targeted scan across vulnerable form fields and query paraters.
His script tested payload reflections without rendering JavaScript, allowing RAZi to confirm XSS behavior based on raw responses.
Within 45 minutes, he had confird multiple reflected XSS flaws across outdated mobile and support endpoints.
GhostCheck’s output was converted to HTML-safe proof-of-concept links, and RAZi automatically generated clean reports for submission.
Each one included payload, vulnerable parater, and server response headers.
For the results? Over 12 dium-severity XSS vulnerabilities, were submitted in a single encrypted batch.
...
Work: Improper Auth Redirect Discovery
Note: Several authentication and login flows use redirect URLs to return users to their destination post-login. These redirect paraters must be validated against a whitelist.
If you discover any redirection endpoints that accept unvalidated third-party URLs, they may qualify for a dium severity reward.
...
Seeing this, he developed a redirect abuse detector called AuthHop, which simulated a login session and intercepted redirect chains.
If any login endpoint allowed redirection to an untrusted external site after login without validating the destination, it was flagged.
RAZi integrated the scanner into an active testing loop with rotating dummy accounts, and within half an hour, Jeff had mapped five authentication flows that could be tricked into rerouting users to phishing traps.
Finding so of it, he continued much further and the results?
The results were 26 dium vulnerabilities, each docunted with step-by-step token capture and redirect bypass thods.
...
Work: Stored XSS Injection Scan
Note: Dynamic content is supported in various user-facing modules. If user-submitted input (e.g. comnts, bios, group nas) is stored in the database and rendered to other users without proper sanitization, it may result in stored XSS.
Please limit tests to designated test fields or isolated environnts.
...
Reading the description about this specific work, he understood that stored XSS was too risky to test manually because it involved injecting malicious scripts into web applications, which could persist in databases and execute whenever a user accessed the affected page.
Unlike Reflected XSS, which required imdiate interaction, Stored XSS could spread silently, targeting multiple users over ti.
Testing it manually could inadvertently expose sensitive data, compromise accounts, or even escalate privileges within an application.
Automated tools were necessary to safely detect and analyze these vulnerabilities without triggering real-world consequences.
Because of that, Jeff developed a Rust-based payload injector that safely delivered test scripts into comnt fields, ssage boxes, and user bios.
Each script was enclosed in harmless tags designed to ping a fake endpoint if executed, allowing him to detect vulnerabilities without causing real security risks.
RAZi will then tracked modifications across multiple test accounts. If a stored payload reappeared in rendered HTML, it was logged as a successful exploitation.
The results you may ask? Over 20 high-severity stored XSS bugs, was compiled in a docunt with before-and-after screenshots and JavaScript behavior traces.
...
Work: IDOR Resource Access Test
Note: All endpoints involving user-specific data should validate authorization based on the authenticated session. If you discover any endpoint where changing a nuric ID or parater grants unauthorized access to another user’s data, it will be treated as a high-severity issue.
Use test accounts only and avoid tampering with live or third-party data.
...
So with that Jeff activated the scanner, feeding it a list of login and authentication flows extracted from previous mapping results.
Each endpoint was systematically tested with redirection payloads designed to check if they would accept external URLs without validation.
His AI cycled through variations, injecting disguised links and analyzing server responses, pinpointing the ones that failed to enforce strict redirection rules.
Within minutes, the scanner flagged multiple endpoints that allowed unvalidated third-party redirects.
Jeff manually verified a few cases, logging into test accounts and watching as the system sent him to unauthorized destinations.
A simple oversight by developers had left these flows vulnerable to phishing exploits, proving just how widespread the issue was across different services.
After compiling detailed reports, Jeff highlighted five dium-severity vulnerabilities, each complete with proof-of-concept steps and token interception thods.
With that he also made it in a docunts to organize it for the mont.
...
Work: Remote Code Execution Vector Discovery
Note: Our platform occasionally deploys developer tools and internal utilities across sandbox environnts. If a parater, file upload, or debug tool can be exploited to execute arbitrary code on the server, it constitutes a critical vulnerability.
Only test within approved sandbox environnts. Never attempt RCE on production systems.
...
Following the notes he then initiated a probe by targeting developer tools deployed within the sandbox environnt.
His scanner thodically analyzed file upload chanisms, debug consoles, and exposed paraters, injecting controlled payloads to detect execution pathways.
Within minutes, he identified a misconfigured debug tool that failed to sanitize input, allowing arbitrary command execution.
He replicated the exploit safely, proving how an attacker could escalate access from a harmless test function to full server control.
After mapping the vulnerability, Jeff crafted a detailed exploit report outlining the attack chain.
He demonstrated how improper sanitization could lead to remote code execution, emphasizing the necessity of strict validation on all user-controlled inputs.
His automated script logged every successful injection attempt, ensuring accurate reproduction of results.
With a thorough breakdown of risk factors, he then wrote it in a docunt about his findings, marking the issue as a high-priority security flaw.
...
Work: Multi-Factor Authentication Bypass Analysis
Note: We use ti-based tokens, backup codes, and push-based verification for MFA. If any endpoint or flow allows login completion without verifying the second factor, especially through session re-use or token manipulation, it is considered critical.
So go ahead and detect flaws in MFA flow that allow full access without completing second-step verification
Successful bypass must demonstrate full account access without completing MFA.
...
1st: Special thanks to ’Essos👑’ – the GOAT of the month, for both the rewarding gifts and golden tickets! Much love, brotha!
2nd: Big thanks to ’Pat_funding👑’ for the unwavering support since the very start of my journey and for the golden tickets and gifts!
3rd: Special shoutout to ’Devon1234👑’ – The sa GOAT of this month, for all the amazing gifts! You’re absolutely RAD!
Reviews
All reviews (0)