Sam Curry (@samwcyo) / X

Sam Curry

3,018 posts

Sam Curry

@samwcyo

Joined January 2017

Sam Curry
@samwcyo
Feb 12, 2025
The DOGE website appears to be developed and hosted by Outburst Data, run by current DOGE employee Kyle Schutt. If you view the source of any page on the DOGE website, you'll see that the images are proxied through Cloudflare's ImageDelivery service.
5.2M
Sam Curry
@samwcyo
Nov 30, 2022
More car hacking! Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car. Here's how we found it, and how it works:
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
This was super interesting to us, because the DOGE website was deployed a bit atypically compared to the other US government websites we'd seen in the past while participating in responsible disclosure. Thanks to @iangcarroll for the help looking into this.
402K
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
After doing a quick Google search for the Cloudflare account ID, we found a forum post by a user named Kyle Schutt who is asking for help developing a NextJS website on Cloudflare, posting the same account ID as the DOGE website in their forum post.
425K
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
This service is a product by Cloudflare that helps images load quicker, but whenever used, inadvertently leaks a unique ID that ties back to the host's Cloudflare account. The unique ID that DOGE is using is the following: DzHG7ZU0tz6F1ZKEddmHuw
446K
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
We saw the same Cloudflare ID on the AMERICA PAC website, showing that the account was being used to a host a number of different Elon Musk related websites.
387K
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
After Googling Kyle Schutt's name, we found a (now deleted) GitHub account which referenced him as the CTO of a company called Outburst Data. There were still more Google results for the Cloudflare account ID, so we went back to Google and continued down the list.
425K
Sam Curry
@samwcyo
Feb 12, 2025
Replying to @samwcyo
After digging into Outburst Data, we found a number of different subdomains related to AMERICA PAC, DOGE, and WinRed hosted on the same Outburst Data API domain. - doge-25f.outburstapi[.]com = DOGE - ampac.outburstapi[.]com = AMERICA PAC And a few more in the screenshot.
427K
Sam Curry
@samwcyo
Nov 29, 2022
We recently found a vulnerability affecting Hyundai and Genesis vehicles where we could remotely control the locks, engine, horn, headlights, and trunk of vehicles made after 2012. To explain how it worked and how we found it, we have @_specters_ as our mock car thief:
Sam Curry
@samwcyo
Sep 14, 2022
It's been a little over 3 weeks since Google randomly sent me $249,999 and I still haven't heard anything on the support ticket. Is there any way we could get in touch @Google? (it's OK if you don't want it back...)
Sam Curry
@samwcyo
Sep 16, 2022
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.
Sam Curry
@samwcyo
Sep 26, 2024
New writeup from @_specters_ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate. Full disclosure: samcurry.net/hacking-kia
00:00
344K
Sam Curry
@samwcyo
Oct 8, 2020
New writeup: "We Hacked Apple for 3 Months: Here’s What We Found" Featuring... @bbuerhaus, @NahamSec, @erbbysam, and @_StaticFlow_
We Hacked Apple for 3 Months: Here’s What We Found
From samcurry.net
Sam Curry
@samwcyo
Jan 3, 2023
Super excited to release our car hacking research discussing vulnerabilities affecting hundreds of millions of vehicles, dozens of different car companies: samcurry.net/web-hackers-vs… Contributors: @_specters_ @bbuerhaus @xEHLE_ @iangcarroll, @sshell_ @infosec_au @NahamSec @rez0__
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche,...
From samcurry.net
342K