Valtik Studios
Security Research

From the lab

Vulnerability deep-dives and attack chain breakdowns. Every post is original research from real engagements.

Payment Security
critical
2026-04-1711 min

PCI DSS 4.0: The March 2025 Mandate That's Still Biting E-Commerce

PCI DSS 4.0 became mandatory March 31, 2025. A year later, e-commerce merchants are still flunking compliance assessments, QSAs are being stricter, and payment processors are issuing non-compliance notices. A practical walkthrough of what actually changed from 3.2.1, the requirements biting merchants hardest, and how to actually pass a 4.0 assessment.

pci dsscomplianceecommerce security
Read
Redis
critical
2026-04-169 min

Redis: CONFIG GET requirepass Returns Empty

Redis deployed without authentication is one of the most exploited misconfigurations on the internet. Attackers use CONFIG SET to write SSH keys, webshells, and cron jobs for persistent remote code execution. A penetration testing reference for Redis security hardening and incident response.

redisrcemisconfiguration
Read
MinIO
high
2026-04-1610 min

MinIO: When Your S3-Compatible Storage Lists Everything

MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire buckets to listing and download. We walk through detecting and remediating this during S3 and object storage penetration testing.

minios3object storage
Read
Keycloak
medium
2026-04-1611 min

Keycloak: Realm Configuration Tells You Everything

Keycloak is enterprise identity and access management — and a high-value target. Publicly exposed realms, enabled self-registration, and console access lead to full SSO compromise. A penetration testing guide to IAM security audits and incident response.

keycloakiamsso
Read
Jenkins
critical
2026-04-1616 min

Jenkins: From Anonymous Read to Full RCE

Jenkins with anonymous read enabled exposes Groovy Script Console for authenticated remote code execution. Compromise one CI/CD server and you own every credential, every pipeline, every repo, every production deployment. A supply-chain attack and penetration testing walkthrough.

jenkinscicdsupply chain
Read
Sentry
high
2026-04-1611 min

Sentry: Your Error Tracker Is Leaking Secrets

Sentry captures stack traces and error context, which routinely includes API keys, database URLs, and session tokens. Public Sentry orgs leak these during error reporting. A recurring finding in application security penetration tests and vulnerability assessments.

sentrysecret leakobservability
Read
ArgoCD
critical
2026-04-1611 min

Argo CD: GitOps With Default Admin

ArgoCD dashboards exposed without auth leak Kubernetes cluster internals, deployment configurations, and sync tokens. A lateral movement vector that turns a single misconfiguration into full cluster compromise. A Kubernetes penetration testing and cloud security deep dive.

argocdkubernetesgitops
Read
Grafana
high
2026-04-1610 min

Grafana: admin/admin Still Works in 2026

Grafana dashboards with admin/admin default credentials are still everywhere. Once inside, attackers pivot to the datasources — Prometheus, PostgreSQL, Elasticsearch — and extract credentials. A common finding in vulnerability assessments and external penetration testing.

grafanadefault credsobservability
Read
MongoDB
critical
2026-04-1612 min

MongoDB: The Database That Ships Without a Lock

MongoDB deployed with --bind_ip 0.0.0.0 and no authentication is still being indexed by Shodan in 2026. The ransomware groups know it. A reminder of why database penetration testing and vulnerability assessments matter for compliance.

mongodbnosqldata breach
Read
Smart TV
high
2026-04-1613 min

Your Smart TV Takes a Screenshot Every Half Second

Smart TVs run Automatic Content Recognition (ACR) that fingerprints every frame on your screen, including content from HDMI inputs. Samsung, LG, Vizio, and Roku all face lawsuits over this surveillance. A consumer cybersecurity and data privacy explainer.

smart tvacrsurveillance
Read
Connected Cars
high
2026-04-1614 min

Your Car Knows Where You Went Last Tuesday at 3:47 PM

Modern cars collect driving data, location history, voice recordings, and biometric data. Insurance companies buy it through telematics brokers. A consumer cybersecurity and data privacy deep dive into automotive surveillance.

automotivetelematicssurveillance
Read
Flock Safety
critical
2026-04-1615 min

20 Billion Scans a Month: The Camera Network Watching Every Car

Flock Safety ALPR networks cover 4,000+ US municipalities. Your car's movement is logged without a warrant and shared across jurisdictions. A data privacy and surveillance explainer with opsec guidance.

alprflock safetysurveillance
Read
Meta
high
2026-04-1613 min

Facebook Built a Profile on You Even If You Never Signed Up

Facebook maintains detailed shadow profiles of non-users through contact uploads, pixel tracking, and data broker feeds. You can't opt out of profiles you never agreed to create. A data privacy and consumer cybersecurity investigation.

facebookshadow profilesdata privacy
Read
Deepfakes
critical
2026-04-1614 min

Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist

In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era. Incident response and security awareness training for the deepfake threat era.

deepfakesocial engineeringincident response
Read
Supply Chain
critical
2026-04-1616 min

A Hacker Spent Two Years Earning Trust to Backdoor the Internet

The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned into an SSH RCE by nation-state patience. A supply chain security and threat intelligence case study.

xz utilssupply chaincve-2024-3094
Read
Amazon Ring
high
2026-04-1612 min

Your Ring Doorbell Gave Police Your Footage 11 Times Without Asking

Amazon Ring's integration with Axon and 2,500+ US police departments turned consumer doorbells into a warrantless surveillance grid. A data privacy and consumer cybersecurity investigation with opsec guidance.

ringamazonsurveillance
Read
Lazarus Group
critical
2026-04-1615 min

How North Korea Stole $6.75 Billion in Cryptocurrency

The Lazarus Group stole 60% of all cryptocurrency losses in 2024 — $1.34 billion from a single Bybit breach. North Korea's cyber operations directly fund nuclear weapons. A threat intelligence and incident response deep dive.

north korealazarus groupcryptocurrency
Read
Data Brokers
critical
2026-04-1611 min

The $434 Billion Industry That Knows Where You Sleep

The US data broker industry is a $200+ billion economy selling everything from your home address to your health conditions. A data privacy investigation with opsec guidance for consumer cybersecurity.

data brokersdata privacysurveillance
Read
Government
critical
2026-04-1610 min

Your Government Buys Your Data Instead of Getting a Warrant

When the Fourth Amendment doesn't apply, government agencies buy your data from brokers. A comprehensive investigation into government surveillance workarounds and data privacy.

government surveillancedata brokersdata privacy
Read
ICE
critical
2026-04-1612 min

ICE Built a $300 Million Surveillance Machine

ICE's $22 billion surveillance apparatus integrates DMV records, utility data, Palantir Gotham, and data broker feeds. A data privacy and surveillance investigation with consumer cybersecurity implications.

icepalantirgovernment surveillance
Read
AI
high
2026-04-169 min

Clearview AI's Privacy Settlement: Victims Are Now Shareholders

Clearview AI scraped 30+ billion photos from public internet to build a facial recognition system sold to law enforcement. A landmark $52 million ACLU settlement followed. A data privacy and facial recognition investigation.

clearview aifacial recognitiondata privacy
Read
Credentials
critical
2026-04-1611 min

16 Billion Credentials Leaked in 2025: The Infostealer Epidemic

Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.

infostealermalwareransomware
Read
Apple
info
2026-04-1610 min

Apple's Secret Feature That's Breaking Police Forensic Tools

Apple's iOS 18.1 Inactivity Reboot feature automatically returns iPhones to BFU state after 72 hours, blocking Cellebrite extractions. The biggest blow to mobile forensics since Secure Enclave. A mobile security and digital forensics analysis.

iosapplemobile security
Read
Signal
high
2026-04-1611 min

Your iPhone Remembers Your Signal Messages Even After You Delete Them

Signal notifications on iOS expose message previews that survive device extraction even with disappearing messages enabled. A mobile security and digital forensics hardening guide.

signalmobile securitydigital forensics
Read
LastPass
critical
2026-04-1612 min

$438 Million Stolen: The LastPass Breach Three Years Later

The LastPass breaches cost users $438 million in cryptocurrency theft and destroyed enterprise trust in cloud password managers. A deep dive into the breach timeline, architectural failures, and password manager security comparisons.

lastpassdata breachpassword manager
Read
Authentication
high
2026-04-1611 min

SMS Two-Factor Is a $26 Million Lie

SIM swap attacks have stolen $200+ million in cryptocurrency from SMS-based 2FA users. Passkeys and hardware security keys are the only reliable defense. An authentication security and threat intelligence guide.

sim swap2famfa
Read
Mobile
critical
2026-04-1614 min

Your Phone Got Hacked and You Did Nothing Wrong

Pegasus, Predator, and other nation-state spyware deploy zero-click exploits that require no user interaction. A threat intelligence and mobile security explainer on NSO Group-class surveillance.

zero-clickspywarenso group
Read
Ransomware
critical
2026-04-1613 min

Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses

Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware attacks to double-extortion, and what it means for incident response and cyber insurance.

ransomwareraaslockbit
Read
AI
info
2026-04-1618 min

Your AI Chatbot Is a Fancy Calculator. Here Is Why.

LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecurity, social engineering, and threat intelligence.

ai securityllmthreat intelligence
Read
Anthropic
info
2026-04-1615 min

Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.

Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.

ai securityanthropicmythos
Read
Ad Tech
high
2026-04-1616 min

How 200 Companies Learn Everything About You in 100 Milliseconds

Real-Time Bidding broadcasts your browsing data to hundreds of companies in under 100ms per page load. A deep dive into browser fingerprinting, cross-device tracking, and online profiling with data privacy implications.

rtbonline profilingdata privacy
Read
Forensics
critical
2026-04-1617 min

Digital Forensics: Exactly What They Can Pull From Your Devices

Cellebrite and GrayKey extract every message, location, authentication token, and deleted file from your phone — when the device is in AFU state. A digital forensics deep dive into mobile security, BFU/AFU extraction, and GrapheneOS hardening.

cellebritedigital forensicsmobile security
Read
Government
critical
2026-04-1619 min

Seven Government Surveillance Powers You Have Never Heard Of

Geofence warrants, keyword warrants, tower dumps, Stingrays, NSLs, and Section 702 are the surveillance mechanisms that don't require a classical warrant. A comprehensive data privacy and opsec investigation into modern government surveillance.

government surveillancegeofence warrantdata privacy
Read
Encryption
high
2026-04-1616 min

Your Encryption Has an Expiration Date

Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacements in 2024. A post-quantum cryptography migration guide for application security and compliance teams.

post-quantumcryptographynist
Read
Social Media
critical
2026-04-1620 min

Fake Americans, Real Influence: Inside State-Sponsored Propaganda

Russia's IRA reached 126 million Americans. China's GoLaxy leak revealed 3,692 AI personas targeting US officials. A threat intelligence investigation into foreign state propaganda operations and defensive opsec.

propagandadisinformationthreat intelligence
Read
Hasura
critical
2026-04-1614 min

Hasura GraphQL: Introspection, Auth Bypass, and Admin Secret Cracking

Hasura's permissive defaults, introspection-by-default, and shared-secret admin model make it a recurring finding on B2B SaaS penetration tests. A deep dive into GraphQL security audit patterns, row-level permission failures, and the hardening checklist for production Hasura deployments.

hasuragraphqlpenetration testing
Read
Authentication
high
2026-04-1613 min

Passkeys vs Hardware Keys vs SMS 2FA: The Real Comparison

SIM swap attacks have stolen over $200 million from SMS 2FA users. Passkeys and hardware security keys are unphishable. A ranked comparison of every 2FA option: SMS, email, TOTP, push, passkeys, and FIDO2 hardware keys — for consumer and enterprise authentication security.

2famfapasskeys
Read
Messaging
high
2026-04-1615 min

Encrypted Messengers Ranked: Signal vs WhatsApp vs iMessage vs Telegram vs Matrix

Not every 'encrypted messenger' is actually encrypted. A practical comparison of Signal, WhatsApp, iMessage with ADP, Telegram, Matrix, Session, and SimpleX — including metadata exposure, jurisdiction, open-source status, and E2EE default behavior for data privacy decisions.

encryptionmessagingsignal
Read
VPN
medium
2026-04-1614 min

VPN Reality Check: Who Actually Logs, Who Actually Protects

VPN marketing claims "military-grade encryption" and "complete anonymity." The reality is much narrower. A ranked breakdown of audited providers (Mullvad, Proton, IVPN, OVPN), providers caught lying in court, sketchy parent companies, and what a VPN can and cannot protect against in your actual threat model.

vpnmullvadproton
Read
AWS
critical
2026-04-1615 min

AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise

The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.

awscloud securityssrf
Read
AI
high
2026-04-1614 min

What ChatGPT, Claude, and Gemini Actually Keep About You

Every AI chatbot retains your conversations. Retention periods, training use, law enforcement access, and breach history vary dramatically. A practical data privacy map of ChatGPT, Claude, Gemini, Copilot, Grok, and Meta AI — including the NYT v. OpenAI court order requiring indefinite retention.

ai securitychatgptclaude
Read
Supabase
critical
2026-04-1514 min

Supabase: When Row-Level Security Isn't Enough

Row-Level Security is Supabase's primary access control mechanism. But RLS only protects PostgREST queries. It doesn't cover service_role keys hardcoded in client bundles, anon key abuse through realtime channels, or storage bucket ACL misconfigurations that lead to data breaches. A penetration testing walkthrough for Supabase security audits.

supabaserlsbaas security
Read
Clerk
high
2026-04-1510 min

Clerk Auth: The unsafe_metadata Footgun

Clerk's unsafe_metadata field is client-writable by design. If your application security model reads role assignments from metadata without server-side validation, any authenticated user can escalate to admin. A practical penetration testing guide to finding and fixing this privilege escalation vulnerability.

clerkauthmetadata
Read
Firebase
critical
2026-04-1512 min

Firebase: Anonymous Auth With Open Firestore Rules

Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if true gives any visitor full read/write access to every collection. This is a top source of cloud data breaches we uncover during Firebase penetration testing and security audits.

firebasefirestoreauth
Read
Elasticsearch
critical
2026-04-1513 min

Elasticsearch: The Open Cluster Epidemic

Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index, and _cluster/settings exposes internal configuration. Thousands of clusters are publicly exposed with customer PII, logs, and credentials — a recurring pattern in data breach forensics and vulnerability assessments.

elasticsearchdata exposureobservability
Read
Telecom
critical
2026-04-1513 min

China Hacked America's Wiretap System. And They're Probably Still Inside

Chinese state-sponsored Salt Typhoon compromised US telecom carriers including AT&T, Verizon, and T-Mobile — the lawful intercept systems used for surveillance got owned. CISA called it the largest telecom hack in US history. A threat intelligence and nation-state cyber attack investigation.

salt typhoonchinaapt
Read
Mobile
high
2026-04-1514 min

What Police Can Actually Extract From Your Phone in 2026

Cellebrite and GrayKey extractions pull every message, photo, location, and authentication token from your phone. A digital forensics and consumer cybersecurity guide with opsec hardening tips.

cellebritedigital forensicsmobile security
Read
New research published weekly