![Day[0] cover](https://d3t3ozftmdmh3i.cloudfront.net/production/podcast_uploaded_nologo/1589585/1589585-1553556841291-2e3a293ad9c2e.jpg)
Podcast
Day[0]
Hosted by dayzerosec · EN
A weekly podcast for bounty hunters, exploit developers or anyone interesting in the details of the latest disclosed vulnerabilities and exploits.
12episodes
Episodes
Newest firstAll episodes
The Future
Apr 1001:20:07Tap to summarizeAfter 283 episodes, this will be the final episode of the DAY[0] podcast.We started the podcast on a hopeful note in the days following Ghidra's release. Now, to end it off we've got another discussion about how we see the future of vulnerability research and exploit development going. We recorded this episode before all the hype around "Mythos" and Project Glasswing so it doesn't play into our commentary here.Thank you all for the support over the last seven years.Good luck and happy hacking!Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/283.html[00:00:00] Introduction[00:09:57] Summer/Year Break Recap[00:10:18] Opening pAMDora's Box and Unleashing a Thousand Paths on the Journey to Play Beatsaber Custom[00:27:20] Vulnerability Research Is Cooked[01:15:42] OutroPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Exploiting VS Code with Control Characters
May 12, 202500:30:08Tap to summarizeA quick episode this week, which includes attacking VS Code with ASCII control characters, as well as a referrer leak and SCIM hunting.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/282.html[00:00:00] Introduction[00:00:57] Attacking Hypervisors - Training Update[00:06:20] Drag and Pwnd: Leverage ASCII characters to exploit VS Code[00:12:12] Full Referer URL leak through img tag[00:17:52] SCIM Hunting - Beyond SSO[00:25:17] Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach MessagesPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Mitigating Browser Hacking - Interview with John Carse (SquareX Field CISO)
Apr 22, 202501:46:57Tap to summarizeA special episode this week, featuring an interview with John Carse, Chief Information Security Officer (CISO) of SquareX. John speaks about his background in the security industry, grants insight into attacks on browsers, and talks about the work his team at SquareX is doing to detect and mitigate browser-based attacks.
Transcribe →
Pulling Gemini Secrets and Windows HVPT
Apr 16, 202501:33:22Tap to summarizeA long episode this week, featuring an attack that can leak secrets from Gemini's Python sandbox, banks abusing private iOS APIs, and Windows new Hypervisor-enforced Paging Translation (HVPT).Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/280.html[00:00:00] Introduction[00:00:18] Doing the Due Diligence - Analyzing the Next.js Middleware Bypass [CVE-2025-29927][00:29:20] We hacked Google’s A.I Gemini and leaked its source code (at least some part)[00:44:40] Improper Use of Private iOS APIs in some Vietnamese Banking Apps[00:55:03] Protecting linear address translations with Hypervisor-enforced Paging Translation (HVPT)[01:06:57] Code reuse in the age of kCET and HVCI[01:13:02] GhidraMCP: LLM Assisted RE[01:31:45] Emulating iOS 14 with qemuPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Session-ception and User Namespaces Strike Again
Apr 1, 202500:49:36Tap to summarizeAPI hacking and bypassing Ubuntu's user namespace restrictions feature in this week's episode, as well as a bug in CimFS for Windows and revisiting the infamous NSO group WebP bug.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/279.html[00:00:00] Introduction[00:00:28] Next.js and the corrupt middleware: the authorizing artifact[00:06:15] Pwning Millions of Smart Weighing Machines with API and Hardware Hacking[00:20:37] oss-sec: Three bypasses of Ubuntu's unprivileged user namespace restrictions[00:32:10] CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)[00:43:18] Blasting Past Webp[00:47:50] We hacked Google’s A.I Gemini and leaked its source code (at least some part)Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Extracting YouTube Creator Emails and Spilling Azure Secrets
Mar 24, 202500:44:04Tap to summarizeThis episode features some game exploitation in Neverwinter Nights, weaknesses in mobile implementation for PassKeys, and a bug that allows disclosure of the email addresses of YouTube creators. We also cover some research on weaknesses in Azure.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/278.html[00:00:00] Introduction[00:00:35] Exploiting Neverwinter Nights[00:08:48] PassKey Account Takeover in All Mobile Browsers [CVE-2024-9956][00:22:51] Disclosing YouTube Creator Emails for a $20k Bounty[00:31:58] Azure’s Weakest Link? How API Connections Spill Secrets[00:39:02] SAML roulette: the hacker always wins[00:40:56] Compromise of Fuse Encryption Key for Intel Security FusesPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
ESP32 Backdoor Drama and SAML Auth Bypasses
Mar 17, 202501:14:08Tap to summarizeDiscussion this week starts with the ESP32 "backdoor" drama that circled the media, with some XML-based vulnerabilities in the mix. Finally, we cap off with a post on reviving modprobe_path for Linux exploitation, and some discussion around an attack chain against China that was attributed to the NSA.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/277.html[00:00:00] Introduction[00:00:25] The ESP32 "backdoor" that wasn't[00:14:26] Speedrunners are vulnerability researchers[00:27:58] Sign in as anyone: Bypassing SAML SSO authentication with parser differentials[00:38:47] Impossible XXE in PHP[00:52:41] Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch[01:04:15] Trigon: developing a deterministic kernel exploit for iOS[01:06:43] An inside look at NSA (Equation Group) TTPs from China’s lensePodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Exploiting Xbox 360 Hypervisor and Microcode Hacking
Mar 12, 202501:19:05Tap to summarizeA very technical episode this week, featuring some posts on hacking the xbox 360 hypervisor as well as AMD microcode hacking.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/276.html[00:00:00] Introduction[00:00:15] Reversing Samsung's H-Arx Hypervisor Framework - Part 1[00:10:34] Hacking the Xbox 360 Hypervisor Part 1: System Overview[00:21:18] Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit[00:30:48] Zen and the Art of Microcode Hacking[00:41:51] A very fancy way to obtain RCE on a Solr server[01:03:49] Cellebrite zero-day exploit used to target phone of Serbian student activist[01:16:03] When NULL isn't null: mapping memory at 0x0 on LinuxPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
Path Confusion and Mixing Public/Private Keys
Mar 3, 202500:59:34Tap to summarizeThis week's episode features a variety of vulnerabilities, including a warning on mixing up public and private keys in OpenID Connect deployments, as well as path confusion with an nginx+apache setup.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/275.html[00:00:00] Introduction[00:19:00] The OOB Read zi Introduced[00:16:55] Mixing up Public and Private Keys in OpenID Connect deployments[00:22:51] Nginx/Apache Path Confusion to Auth Bypass in PAN-OS [CVE-2025-0108][00:31:50] Hacking High-Profile Bug Bounty Targets: Deep Dive into a Client-Side Chain[00:44:14] Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 3[00:48:48] GigaVulnerability: readout protection bypass on GigaDevice GD32 MCUs[00:56:57] Attempted Research in PHP Class PollutionPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →
ZDI's Triaging Troubles and LibreOffice Exploits
Feb 25, 202500:57:02Tap to summarizeWe discuss an 0day that was dropped on Parallels after 7 months of no fix from the vendor, as well as ZDI's troubles with responses to researchers and reproducing bugs. Also included are a bunch of filesystem issues, and an insanely technical linux kernel exploit chain.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/274.html[00:00:00] Introduction[00:00:12] Training: Attacking Hypervisors[00:01:03] Dropping a 0 day: Parallels Desktop Repack Root Privilege Escalation[00:24:48] From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11[00:30:19] Exploiting LibreOffice [CVE-2024-12425, CVE-2024-12426][00:46:47] Patch-Gapping the Google Container-Optimized OS for $0Podcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
Transcribe →