Ian Carroll @iangcarroll Twitter profile

Last Seen Profiles

@CooperCollin21

@backoround

@Federico_Urban

@JulianDRuizR

@mareileek

@dojchella

@sitipngnpinter

@Manny_Khoshbin_

@juandertal

@zodo253

@TheMammalizer

@SaesnegGlantaf

@mu_jose

@SLREN_SL

@syayurann

@UtafitiAfrica

@soohshii

@Amelyusss

@looping_group

@expii

@sue_fran007

@premiosvdr

@realthoughtsfem

@ztisdale

@ghazzall_

@samuelescritor

@ileonaard

@K0byJ

@sangtanic

@Barothoth

@CBABulldogsUSA

@incr698

@musac5925

@spotdegen_

@CsikRuso

@DrOwlPhD

Ian Carroll

@iangcarroll

2 years

Well, ChatGPT knows AWS IAM policies... holy shit.

66

445

4K

Ian Carroll

@iangcarroll

2 years

we got a shell on the topgolf kiosk

58

170

2K

Ian Carroll

@iangcarroll

4 years

chrome://dino 0day, brought to you by security happy hour (bug bounty pls) checkForCollision = () => false; Runner.instance_.setSpeed(50);

21

334

1K

Ian Carroll

@iangcarroll

3 years

1Gbps of sustained outbound transfer on aws is about $21,000/month in us-east-1. that's it. that's the tweet.

32

195

1K

Ian Carroll

@iangcarroll

4 years

ARM-based macOS can run iOS apps + network traffic/cert store is tied to macOS = perfect for iOS app hacking

21

188

1K

Ian Carroll

@iangcarroll

3 years

Yay, I was awarded a $75,000 bounty on @Hacker0x01 ! #TogetherWeHitHarder Five $15,000 reports to one program using an issue that CookieMonster would catch! Not as straightforward though; CVE soon :)

HackerOne profile - ian

hacking things - https://ian.sh

hackerone.com

26

71

872

Ian Carroll

@iangcarroll

8 months

About 1.5 years ago, I started as a fun side project to help me book better award flights with my points. To my surprise, it grew much faster than I ever expected, and ended up becoming my full-time job. As the year ends, we just hit $1.5M in ARR and now

54

30

876

Ian Carroll

@iangcarroll

2 years

I got promoted today to Staff Security Engineer at Robinhood!

52

7

865

Ian Carroll

@iangcarroll

4 years

CVE-2020-7066 is a pretty neat SSRF vector in PHP; URL parsing differences strike yet again.

2

193

626

Ian Carroll

@iangcarroll

3 years

I wrote about how I exploited a bunch of outdated Apache Airflow instances in bug bounty programs and earned over $13,000 for it!

Exploiting outdated Apache Airflow instances in bug bounties

Apache Airflow is a popular system for executing workflows, such as copying and transforming data between data sources. I first ran into an Airflow instance exposed to the internet on a bug bounty...

ian.sh

5

172

556

Ian Carroll

@iangcarroll

3 years

Excited to share a small thing I've been working on: fast tooling for detecting misconfigured session implementations in web apps. CookieMonster rapidly finds misconfigured secret keys in applications using Laravel, Flask, JWTs, and more!

Introducing CookieMonster: a tool for breaking stateless authentication

Introducing CookieMonster: a tool to help you detect and abuse vulnerable implementations of stateless sessions.

ian.sh

9

175

483

Ian Carroll

@iangcarroll

5 years

Today I learned that voicemail uses IMAP? And you can text people a special message that makes their phone connect to your IMAP server?!

Project Zero Bugs

@ProjectZeroBugs

5 years

Visual Voicemail for iPhone: Use-after-free in IMAP NAMESPACE processing

0

51

146

13

145

424

Ian Carroll

@iangcarroll

3 years

You can learn so much non-public information from TikTok. Last night I was reading a bunch of complaints in comments from armored truck drivers around how their security system works… just amazing info to find.

8

34

378

Ian Carroll

@iangcarroll

1 year

I was a senior security engineer at Dropbox at 20, and now I am a staff security engineer at Robinhood at 22. 🤷‍♂️

24

18

375

Ian Carroll

@iangcarroll

3 years

HE offers a full rack with 12A of power and 1Gbps of symmetrical transit for $400/month. Where did we go wrong?

10

11

294

Ian Carroll

@iangcarroll

3 years

Excited to share more about my work with misconfigured Redash instances and stateless authentication. Together with @haxor31337 and @naglinagli , we earned nearly $100k from these CVEs in 2021.

Exploiting Redash instances with CVE-2021-41192

Exploiting CVE-2021-41192, a stateless authentication misconfiguration, on Redash instances.

ian.sh

10

81

291

Ian Carroll

@iangcarroll

6 months

Does anyone have a Cloudflare WAF bypass

9

12

274

Ian Carroll

@iangcarroll

3 years

I wrote a post about how MarkMonitor pointed over 60,000 domains towards Amazon S3 yesterday, allowing anyone to take over domains like or . Thanks to @naglinagli and @d00xing for helping to figure this out!

How MarkMonitor left >60,000 domains for the taking

Thanks to Nagli and d0xing for helping figure out what was happening with this issue.

ian.sh

4

74

266

Ian Carroll

@iangcarroll

5 years

If your organization uses LastPass, you should inspect the Chrome extension’s source code. I have never been more terrified by a product.

Project Zero Bugs

@ProjectZeroBugs

5 years

lastpass: bypassing do_popupregister() leaks credentials from previous site

7

308

636

13

115

239

Ian Carroll

@iangcarroll

1 month

Our talk was accepted at @defcon this summer! Come watch @LennertWo and I give a talk about the Unsaflok vulnerability in hotel locks and the technical details behind it.

5

65

264

Ian Carroll

@iangcarroll

2 years

This is an absurd vulnerability and should be retracted:

Security Issue in JWT Secret Poisoning (Updated)

We discovered a new high-severity vulnerability (CVE-2022-23529) in the popular JsonWebToken open source project.

unit42.paloaltonetworks.com

7

44

227

Ian Carroll

@iangcarroll

4 years

salesforce is telling customers to keep chrome out of date because of mixed content... this is terrible advice

9

60

226

Ian Carroll

@iangcarroll

4 months

Today we disclosed serious security issues our team discovered in over three million hotel locks that could allow anyone to create master keys. We’ve been working on this for almost two years to ensure it’s fixed responsibly. Thanks to Andy for the great coverage!

Andy Greenberg (@agreenberg at the other places)

@a_greenberg

4 months

Security researchers found flaws in Saflok hotel keycard locks, used on 3 million doors in 13,000 properties worldwide, that can be used to open them in seconds. The lockmaker Dormakaba has been working on a fix but told them only 36% of locks are updated.

4

121

289

6

68

215

Ian Carroll

@iangcarroll

3 years

I earned $12,000 for my submission on @bugcrowd #ItTakesACrowd Airflow keeps giving :)

iangcarroll on Bugcrowd

View iangcarroll’s researcher profile on Bugcrowd, a platform and team of experts connecting organizations to a global crowd of trusted security researchers.

bugcrowd.com

10

7

209

Ian Carroll

@iangcarroll

3 years

over the past couple weeks i've created >400,000 aws ec2 instances, with >300,000 unique public IPs, hunting for dangling DNS records -- found some fun results so far! total cost: ~$15 :)

8

24

205

Ian Carroll

@iangcarroll

4 years

There appears to be no DRM on iOS app binaries running on macOS.

8

23

193

Ian Carroll

@iangcarroll

3 years

Been working more on my bug bounty automation's web UI :) Trying to make manual research a bit nicer.

6

5

162

Ian Carroll

@iangcarroll

3 years

Surprised to be #3 in the US on HackerOne, hope I stay as lucky in 2022 :)

10

4

156

Ian Carroll

@iangcarroll

1 year

Excited to share that I’m leaving Robinhood to work on @SeatsAero full-time! What started as my simple side project has grown considerably recently and I’m excited to dedicate more time to it. Quite the change from security but I will still be around bug bounty and events 🙂

16

5

157

Ian Carroll

@iangcarroll

5 years

“you may pose an immediate security threat” - @TSA time to get this framed

16

23

146

Ian Carroll

@iangcarroll

2 years

These are some crazy security issues in Cloudflare that probably should have been caught before this launched 😬😬😬

Cloudflare Pages, part 1: The fellowship of the secret

www.assetnote.io

1

45

147

Ian Carroll

@iangcarroll

1 year

This was a fun bug I found in @stripe , sadly they took back the $600k in fee-free credits I earned from it!

publiclyDisclosed

@disclosedh1

1 year

Stripe disclosed a bug submitted by @iangcarroll : - Bounty: $5,000 #hackerone #bugbounty

1

14

67

6

5

145

Ian Carroll

@iangcarroll

3 years

Installed a new NVMe Gen4 SSD and 384GB of additional DDR4 for my bug bounty automation. Cable management not prioritized though…

14

2

137

Ian Carroll

@iangcarroll

3 years

Time for some belated Log4j with @naglinagli and @haxor31337 🙂

5

1

137

Ian Carroll

@iangcarroll

10 months

I’m disappointed that Air Canada decided to file a lawsuit against @SeatsAero today, attempting to shut down our support for Aeroplan awards with a frivolous lawsuit. We make it easier for all Aeroplan users to find the best awards, and will fully defend our position in court.

13

8

129

Ian Carroll

@iangcarroll

2 years

Today I'm disclosing several vulnerabilities I found in the certificate authority e-Tugra, which disclosed significant amounts of subscriber PII and may have impacted their certificate issuances. Hopefully other CAs are not like this!

Security concerns with the e-Tugra certificate authority

Certificate authorities (CAs) are a critical backbone of internet security; when they are compromised, users lose the ability to securely connect to websites without fear of interception. Websites...

ian.sh

12

63

116

Ian Carroll

@iangcarroll

3 years

I do not know what to do with 31 cases of Red Bull but they have started arriving! I think this is about 50% of it in sugar free, the other half should be regular Red Bull. 750 cans!

19

1

110

Ian Carroll

@iangcarroll

5 months

Big win for us 💪

JT Genter

@JTGenter

5 months

Congratulations to @SeatsAero on the initial legal win against Air Canada! A judge denied Air Canada's filing to block from continuing to publish Aeroplan award availability while the case moves forward:

2

6

72

10

1

108

Ian Carroll

@iangcarroll

3 years

Hot take: If your bug bounty fixes reports but doesn’t pay them because of “scope”, you’re misusing scope and hurting researchers. Use scope for third-party systems and known issues, not as a tool for free bugs. If you don’t have enough budget, use tiers or don’t run a program.

7

16

104

Ian Carroll

@iangcarroll

3 years

Excited to have joined Robinhood's security team last week to run their bug bounty program :)

13

0

101

Ian Carroll

@iangcarroll

3 months

Finally got my Canada passport 🇨🇦🇺🇸

4

0

102

Ian Carroll

@iangcarroll

5 years

Here is the indictment for this case: This seems pretty crazy -- the only reason the person was caught was because they put the data on their personal GitHub?

19718675504.pdf

Shared with Dropbox

www.dropbox.com

4

45

94

Ian Carroll

@iangcarroll

2 years

1

3

93

Ian Carroll

@iangcarroll

3 years

Just got a max bounty from an issue I found with CookieMonster a month after I released it! I also found my most impactful Airflow instance after publishing my post on it... maybe OSS is key :)

1

4

93

Ian Carroll

@iangcarroll

2 years

This report was what helped me find CVE-2021-41192!

publiclyDisclosed

@disclosedh1

3 years

Urban Company disclosed a bug submitted by @iangcarroll : - Bounty: $1,500 #hackerone #bugbounty

0

7

94

1

88

Ian Carroll

@iangcarroll

4 years

AS398328 is alive :)

11

4

83

Ian Carroll

@iangcarroll

3 years

my girlfriend has learned how to use safari devtools just to see her place in disneyland ticket line via the xhr response

4

2

84

Ian Carroll

@iangcarroll

3 years

imagine getting paid $25 for a bug bounty report 😭

11

1

81

Ian Carroll

@iangcarroll

1 year

Following my security research of E-Tugra last year, Google is now completely removing their root certificates from being publicly trusted.

0

19

78

Ian Carroll

@iangcarroll

5 years

One of two trackers we found in our rental car at the @CarHackVillage at @defcon China.

4

15

78

Ian Carroll

@iangcarroll

3 years

Really big fan of the new M1 Max. Feels even snappier than the M1, which is impressive! Got a lot farther without Rosetta this time, but Burp Suite made me install it. @PortSwigger pls 🙏

6

3

76

Ian Carroll

@iangcarroll

3 years

Advisory has been released for a critical bug/misconfig I found in Redash, which leads to an authentication bypass/ability to query any connected database. Thanks to @getredash / @databricks for quick fixes. :)

Insecure default configuration

### Impact If you configured Redash without explicitly specifying the `REDASH_COOKIE_SECRET` environment variable, Redash instead used a default value that is the same across all installations. ...

github.com

1

14

69

Ian Carroll

@iangcarroll

2 years

net/http/pprof is probably the biggest footgun in Go right now. Just importing a package silently exposes quite a few debugging routes, and this happens accidentally *so* often at scale. Good for bug bounty farming, bad for companies!

3

10

66

Ian Carroll

@iangcarroll

5 years

i have a handheld RFID cloner now.. becoming more powerful

8

5

67

Ian Carroll

@iangcarroll

4 years

AS398328 -> AS6939

3

61

Ian Carroll

@iangcarroll

3 years

Twitter disclosed my bug bounty report that they fixed very quickly but paid $0. Never a fan of bug bounties that can fix reports but don’t pay for them. 😕

X (Formerly Twitter) disclosed on HackerOne: Subdomain takeover of...

## Summary images.crossinstall.com points to an AWS S3 bucket that no longer exists. I was able to take control of this bucket and put my own content onto it. I can now serve content on this...

hackerone.com

9

3

65

Ian Carroll

@iangcarroll

2 years

A fun thing I've been working on lately is -- a tool to allow you to view hidden metadata in airline reservations. Airline apps retrieve a ton of info that they never show you, like internal notes on your reservation. Supports DL, AM, VS, and others!

5

8

63

Ian Carroll

@iangcarroll

3 years

I really hope @Hacker0x01 is working on improving the mediation process. The people are nice but the process has been clearly broken for so long. It’s insane to me that they still cannot view the very reports they are mediating.

4

2

61

Ian Carroll

@iangcarroll

4 years

Today was my last day @Dropbox . It’s been a great time and I’ve learned so much; onto new things soon!

4

0

59

Ian Carroll

@iangcarroll

3 years

Glad the FedEx package I just got from Sony’s bug bounty is a t-shirt and not a cease and desist like last time

3

6

55

Ian Carroll

@iangcarroll

4 years

There is no reason to believe Zoom has the security posture to be a critical infrastructure service, and it is extremely scary to think about what data now flows through it.

2

8

53

Ian Carroll

@iangcarroll

6 months

Apparently @discord added notifications with AI summaries of conversations, but it summarized a credit card discussion in our Discord server into "Palestinian Deaths" and sent it to our members, wtf? Palestine has never been mentioned in that channel at all.

5

3

55

Ian Carroll

@iangcarroll

5 years

I was detained for over six hours yesterday by CBP at SFO, purely out of spite. They threatened to detain me all night and that’s exactly what they did, until 10PM (I landed around 4PM).

10

13

49

Ian Carroll

@iangcarroll

2 years

Deployed a security.txt today 🎉

2

5

53

Ian Carroll

@iangcarroll

3 years

this year i especially hope my tax deductions work correctly

3

0

52

Ian Carroll

@iangcarroll

6 months

Amex refreshed the Biz Gold card to add 4x points on cloud systems. Then, after I spent a ton on AWS with the card, they claim AWS is not a cloud system provider, which is absurd. Shows how useless CFPB complaints can be; Amex responded saying basically nothing and not fixing it

4

5

48

Ian Carroll

@iangcarroll

4 years

your mistakes are permanently public with CT...

1

6

45

Ian Carroll

@iangcarroll

3 years

Really like the new Go net.IP functions but be careful if you rely on IsPrivate() to prevent SSRF! It will detect internal ranges like 10/8, but not 127/8, so loopback services are not safe.

3

6

47

Ian Carroll

@iangcarroll

5 years

kind of weird how everything in LA is modeled after grand theft auto

0

9

41

Ian Carroll

@iangcarroll

4 years

We’re (actively) hiring for product security! Let me know if you’re interested or have questions about the role.

5

14

43

Ian Carroll

@iangcarroll

3 years

In October, I submitted 24 vulnerabilities to 18 programs on @Hacker0x01 . #TogetherWeHitHarder

4

0

42

Ian Carroll

@iangcarroll

5 years

so it begins

8

1

40

Ian Carroll

@iangcarroll

4 years

date bailed on me so i went to a data center instead

5

0

40

Ian Carroll

@iangcarroll

11 months

Bug bounty programs need standardized methods for determining severity across the entire platform. @Hacker0x01 is basically the wild west of severity calculations right now and it doesn’t lead to a great experience for anyone.

publiclyDisclosed

@disclosedh1

11 months

Yelp disclosed a bug submitted by @lil_endian : #hackerone #bugbounty

8

23

120

1

0

40

Ian Carroll

@iangcarroll

5 years

VPN's can't protect you from putting your name on things!

1

10

36

Ian Carroll

@iangcarroll

11 months

@supersat @wbm312 @united I’ve had agents refuse to let me opt out as well. United called CBP on me and asked if I was allowed to opt out (they said it’s fine). Unfortunately seems like the airlines don’t train anyone on it and the gate agents get annoyed at you as a result.

0

3

41

Ian Carroll

@iangcarroll

2 years

I tried to write a whole blog post on this but I think it's just a tweet: Bug bounty platforms are too comfortable right now. It's crazy that HackerOne charges programs a >20% fee per report, and researchers are not even protected if a program decides to screw them.

2

39

Ian Carroll

@iangcarroll

3 years

Had a blast with bug bounty this year, glad I got to work with a lot of great researchers and programs. :) #TogetherWeHitHarder

3

0

40

Ian Carroll

@iangcarroll

4 years

new roommate :) @NaoJGar

0

38

Ian Carroll

@iangcarroll

4 years

uh oh

5

0

38

Ian Carroll

@iangcarroll

5 years

@__apf__ At Dropbox we have a Slack bot that can increase the temperature around your desk if you ask it to, and increase the airflow/etc.

4

37

Ian Carroll

@iangcarroll

3 years

My favorite ridiculous Delta 0day is that their trip IROP handling allows you to inspect-element a new destination airport -- even changing a domestic flight to a business-class European ticket. And yes, it both updates the PNR and re-issues the e-Ticket correctly.

1

8

36

Ian Carroll

@iangcarroll

3 years

A “technical issue” made PG&E send a remote disable command to my smart meter today and cut off my otherwise working power. Only eight hours later did I find someone who was able to send another command to it and restore my power. Just requested an analog meter…

6

4

37

Ian Carroll

@iangcarroll

1 year

Wide bug bounty scope is better for everyone involved. Imagine a malicious actor discovering this because the bug bounty program excluded it.

Inti De Ceukelaire

@securinti

1 year

just got offered a $25 bounty and a reminder to stick to the scope from a massive corporation for informing them that all their corporate credentials and API keys (for lastpass, zoom, ... etc) are exposed a PUBLIC repo. I never asked for a bounty but this is... insulting. 🙃

39

38

597

2

36

Ian Carroll

@iangcarroll

4 months

You can view our disclosure at . Many of us worked on this including @LennertWo , @rqu53 , @BusesCanFly , @samwcyo , @sshell_ , and @WillCaruana . We believe these locks have been vulnerable for over 36 years, way older than most of us!

Unsaflok

Unsaflok is a series of serious security vulnerabilities in the Saflok brand of hotel locks.

unsaflok.com

1

12

37

Ian Carroll

@iangcarroll

4 years

did i just spend several hours reverse engineering the tinder API and clients so i could get verified? maybe.. but the checkmark is cool

4

1

34

Ian Carroll

@iangcarroll

4 years

Delta has some extremely permissive APIs in terms of seeing reservation data, so I built a tool for myself to see all of it... Gonna have to make sure I'm not marked as a "selectee" while flying 😅

1

35

Ian Carroll

@iangcarroll

5 years

Don't mis-interpret this! Using a password manager like LP, for the vast majority of threat models, is much better than not -- anti-phishing, anti-reuse, etc. But if you are at a higher risk, it's important to understand that LP is kind of bottom-of-barrel in terms of security.

4

1

33

Ian Carroll

@iangcarroll

7 months

2023 flights! I love the Flighty passport. - 220,577 mi flown - 20 days on a plane - 42 airports, 15 airlines Requalified for Delta Diamond and United 1K for next year! Air Canada 25k too but they froze my account 😂

4

0

34

Ian Carroll

@iangcarroll

5 years

taking bets on whether i am banned from air travel now

5

2

31

Ian Carroll

@iangcarroll

3 years

. @markmonitor just pointed thousands (if not more) parked domains towards unclaimed S3 buckets, allowing all of these domains to be taken over. If you have a contact at MM, please DM me

1

4

32

Ian Carroll

@iangcarroll

2 years

A while ago I registered Stripe Inc in Kentucky to write my extended validation blog post. The LLC is gone now, but in Dun & Bradstreet it had my phone number tied to it... Recently I have been getting a *ton* of spam calls. I started answering and they are for the real Stripe!

1

3

32

Ian Carroll

@iangcarroll

5 years

They also seized my work laptop, my Proxmark, and my TWIC, because they could. A ridiculous series of events (and I still have no laptop.)

4

3

28

Ian Carroll

@iangcarroll

5 years

i’ve flown almost 200k miles this year but i still look out the window like a little kid every time

6

0

30

Ian Carroll

@iangcarroll

5 years

@defensivecomput Strongly disagree here for the record. The anti-phishing protection built into password managers is underrated and a formula will let you shoot yourself in the foot.

3

0

30

Ian Carroll

@iangcarroll

3 years

Really impressed by Datadog's Golang tracing and profiling -- implemented it in my bug bounty automation pretty easily!

1

30

Ian Carroll

@iangcarroll

3 years

@FiloSottile I don't think AWS is trying to extract the value of their other products from their data transfer charges. You pay a premium on all of your resources within AWS, but 70x on data transfer is a tax to keep a moat, not the cost of their value-add.

1

0

29

Ian Carroll

@iangcarroll

3 years

This is how bug bounty programs should treat 0days.

Sayaan Alam

@ehsayaan

3 years

Wohooo, Me and @theabrahack just got awarded a bounty of $15,000 on @Hacker0x01 for log4j RCE , I love how some companies treat zero days #bugbounty

16

35

528

0

1

29

Ian Carroll

@iangcarroll

4 years

My ASN is now serving -- pretty neat! Temporarily IPv6 only.

4

3

28

Ian Carroll

@iangcarroll

2 years

Wrote a tool for scraping LifeMiles flight award availability because their site is not great. if you want to use it! Can help find Lufthansa/United flights to Europe!

5

4

29