🐱 New Blog Post: Petlibro Smart Pet Feeder Vulnerabilities (Partially Fixed, $500)
Found critical vulns in Petlibro - one of the biggest smart pet feeder companies:
Auth bypass via broken OAuth - just need Google ID (public info via Google APIs) to login as anyone
Access any pet's data, devices, serial numbers, MAC addresses
Hijack any device - change feeding schedules, access cameras
Access private audio recordings (mealtime messages to pets)
Add yourself as shared owner to any device
The worst part? They "fixed" the auth bypass by making a new endpoint... but left the old vulnerable one active for "legacy compatibility." Two months later, still working.
Also tried to get me to sign an NDA AFTER paying the bounty. That's not how contracts work.
🍔 Just collabed with
@BobTheShoplifter on a MASSIVE SECURITY BREACH: We exposed how Restaurant Brands International (Burger King, Tim Hortons, Popeyes) left their drive-thru systems etc completely vulnerable.
🎯 What we found:
• Unauthenticated API access to ALL drive-thru locations globally
• Drive-thru voice recordings of customers accessible
• Employee PII exposed.
• Bathroom feedback systems with zero auth
• Hardcoded passwords in client-side code
The scope was insane - we could access any drive-thru system globally. Even listen to your actual drive-thru orders 👂
Credit to RBI for lightning-fast response once disclosed, but the privacy implications were staggering.
🤖 Hacked China's Biggest Robotics Company (Pudu Robotics)
Pudu makes those cat-faced BellaBot robot waiters you see in restaurants, plus cleaning robots, disinfection bots, and even FlashBots with mechanical arms for offices.
Found critical vulnerabilities in their app controlling their entire global fleet:
Zero authentication on APIs
Could control any robot worldwide
Accept 20k store IDs in single request, no rate limiting
Could steal food, documents, redirect hospital medicine delivery
FlashBot with arms could grab files & use elevators
Reported Aug 12. Sent emails to sales, support, tech teams - all ignored.
Had to email Skylark Holdings (7000+ restaurants) and Zensho directly about their compromised robots.
Pudu responded in 48hrs with obvious ChatGPT template - forgot to replace "[Your Email Address]" placeholder. Fixed 2 days later.
Thousands of robots (BellaBots, KettyBots, FlashBots, etc) in hospitals, restaurants, offices worldwide were vulnerable for a long time.
Update any user's data by just changing UID in requests
Delete anyones account
Reported November 2024, they responded in March 2025 with a $100 gift card offer. Still unfixed.
Every single endpoint trusts client-provided user IDs without verification. This is as bad as it gets for a dating app handling sensitive personal data.
🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦
Technical details:
Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
GRS panel: Complete authentication bypass, arbitrary HTML injection
Magicbell API keys/secrets exposed in client-side JS
Algolia indexes listable with user PII
CosMc's: Server-side validation missing for coupon redemption
They fixed it but fired my friend who helped find the OAuth vulnerabilities.
Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦
Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
July 28: I go public
July 30: Both fixed in 48 hours
Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.