Selling CORS exploit chains, basically full account takeover with just 1 click from the victim, @half for info
@half lounge
Selling CORS exploit chains, basically full account takeover with just 1 click from the victim, @half for info
How the attack/exploit chain works :
Victim is logged into target site in one tab.
Victim opens eviltarget.com in another tab (clicks a link in email, Telegram, an ad).
JavaScript on eviltarget.com says: "Hey browser, please ask target.com for the victim's data, and send the victim's cookies with the request."
Browser sends the request, with cookies.
Server answers "yes, eviltarget.com can read this."
Browser gives the answer to the JavaScript.
JavaScript sends the stolen data to the attacker's server.
I have various vulns ready for sale @half
Victim is logged into target site in one tab.
Victim opens eviltarget.com in another tab (clicks a link in email, Telegram, an ad).
JavaScript on eviltarget.com says: "Hey browser, please ask target.com for the victim's data, and send the victim's cookies with the request."
Browser sends the request, with cookies.
Server answers "yes, eviltarget.com can read this."
Browser gives the answer to the JavaScript.
JavaScript sends the stolen data to the attacker's server.
I have various vulns ready for sale @half
Anyone has fresh zenledger database ? Have exploit that can drain entire user balance with the use of XUMM , requests originate from ZenLedger and drains user out ( USDC tested, also wrapped btc ) @half
Please open Telegram to view this post
VIEW IN TELEGRAM
Basically you SE the ZenLedger victim into declaring their XRP
You go on the program , insert the victim address and you'll get a custom payload to send him
You send them the link -) cahsed :)
You go on the program , insert the victim address and you'll get a custom payload to send him
You send them the link -) cahsed :)
Selling exploit on a big financial site (800M revenue ) , various exploits :
- Mass denial-of-banking — victims can't deposit, withdraw, or auto-invest. Deposits in flight may bounce. Purely
destructive.
- Attacker can reroute a victim's recurring transfers (e.g., redirect a scheduled payment's source/destination) to
accounts they control.
- Straight loan-proceeds theft. A victim's approved personal loan pays out to an attacker's linked account.
- Hijack automated cash movement — redirect sweeps, drain idle cash into attacker accounts, or disable protective
sweeps before other attacks.
- full KYC bypass
and more
price : 2M$
@half MM accepted as always :)
- Mass denial-of-banking — victims can't deposit, withdraw, or auto-invest. Deposits in flight may bounce. Purely
destructive.
- Attacker can reroute a victim's recurring transfers (e.g., redirect a scheduled payment's source/destination) to
accounts they control.
- Straight loan-proceeds theft. A victim's approved personal loan pays out to an attacker's linked account.
- Hijack automated cash movement — redirect sweeps, drain idle cash into attacker accounts, or disable protective
sweeps before other attacks.
- full KYC bypass
and more
price : 2M$
@half MM accepted as always :)
On vacation till sunday , will be less online 😴
Please open Telegram to view this post
VIEW IN TELEGRAM
anyone has expirence with ransoms ? @half ( not ransomware, company ransoms )
@half lounge
Project nearly ready 😎
Should I continue autodoxxer development? would you be intrested?
Anonymous Poll
71%
Yes
33%
not intrested
selling big betting platform ( non crypto , european ) admin access , 80M yearly revenue, good offers in PM @half
@half lounge
Should I continue autodoxxer development? would you be intrested?
Perfect will work on it soon, will also work on a good audit program that will be sold with limited copies , more info soon :)