[HackerNotes Ep. 161] AI workflows, CSRF despite XFO, and DTMF exfil

Hacker TL;DR

• AS Watson: new program on Intigriti with a massive scope.

• YesWeHack Report 2026: AI usage is mainstream for learning/docs (69%), report drafting (51%), payload generation (40%), and code review/vuln analysis (38%).

• CSRF: X-Frame-Options: DENY does not stop CSRF execution via iframe (it blocks rendering, not request processing). The real gating control here is SameSite.

• Gemini App Exfil: “delivery → data access → exfil” chain using intent URI + tap-jacking, then exfiltrating a 2FA code via DTMF (phone number + ; to auto-play tones).

• Cross-consumer attacks: when a victim domain/path points to a multi-tenant third party (docs/support/hosting), test if your tenant’s content can be served under the victim’s domain (ID/slug swaps, override params, tokens/JWT) → XSS/CSP abuse.

Hackernotes

We do subs at $25, $10, and $5, premium subscribers get access to:

– Hackalongs: live bug bounty hacking on real programs, VODs available
– Live data streams, exploits, tools, scripts & un-redacted bug reports

You can also find some hacker swag here.

YesWeHack Report 2026

AI usage breakdown :

How to use AI to perform in Client Side stuff:

• Use JxScout to pull JavaScript files.

• Feed them into a LLM workflow like Opus 4.6 to review:
  

  • client-side routes

  • query parameter parsing

  • hash parsing

  • postMessage listeners

• Prioritize AI for:
  

  • payload generation

  • code review / vulnerability analysis

Other interesting stats:

• Experience:
  

  • 44% have been hacking for 3-5 years

  • 38% are full-time

  • 62% do it alongside another role

• Collaboration reports up 520%

• Common tools are Burp Suite, ffuf, httpx

• Looking for proxies :
  

  • Burp: 91% adoption

  • Caido: 18% adoption

• Nice Research highlight: https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits by Brumens

Go check the full report here : https://www.yeswehack.com/community/yeswehack-report-2026-trends-security

CSRF, why X-Frame-Options is not a CSRF control

Observation noticed:

• Target endpoint was CSRF-able and had X-Frame-Options: DENY.

• Multiple iframes were used to trigger the state-changing action.

• The iframes “failed to load” visually due to X-Frame-Options, but the requests still executed server-side.

As we only care about the server-side effect and not the rendering, it's a way to perform the CSRF. So, the focus should be on the SameSite cookie behavior first (will cookies be sent cross-site?). And then iframe vs fetch depends on constraints, but “frameable” is not the decisive question for CSRF.

Write-up from Starstrike about Data Exfiltration in Gemini

Here is the full attack chain scenario:

• Delivery: an intent URI in Gemini to preload a query/prompt.

• User interaction: tap-jacking (have the user tap multiple times; trigger the intent swap mid-sequence; their finger ends up on “Send”).

• Data access: prompt asks Gemini to retrieve a 2FA code from the user’s messages.

• Exfil: encode the 2FA code as DTMF tones.
  

  • Use ; after a phone number to auto-play DTMF.

  • Tell Gemini to call the number (as this is an action not requiring extra user prompting in this scenario).

That was insane and a very creative way to exfill data.

Bug Bounty payout cuts

• Spotify and HackerOne program reduced bounties

• HackerOne payouts are now:
  

  • Medium: $1,500

  • High: $7K

  • Critical: $15K

Also, the community came back on a change in the general terms and conditions of Hackerone ( clause 3.1 ) :

• H1 may use confidential info to improve services, including “identify trends” and “train AI models,” provided it does not disclose to unauthorized third parties.

• Community concern is mainly “are reports being used to train models?”

• But it can also be intended as a broad statement tied to internal tooling (Hai) rather than a “super-hacker AI” project.

We will cover that more in a later episode, waiting for the hackerone statement about it.

Cross-consumer attacks

How it works:

• Victim uses a third party to serve content (JS/docs/support/etc.) via a victim-controlled domain or path.

• Attacker creates their own tenant on the third party, hosts content (SVG/HTML/JS), then attempts to access it under the victim’s domain by manipulating:
  

  • URL IDs (like an IDOR)

  • slugs

  • override/debug parameters

  • tokens / signed URLs / JWT-like access patterns

Some patterns to check if it's possible:

• Look for paths like:
  

  • /docs/<id>/file.html

  • /docs/<slug>/...

• Upload “impactful” content on your tenant:
  

  • SVG, HTML, JS (also useful for CSP interactions)

• Check whether the third-party hosts are CSP holes (XSS/exfil support)

• Hunt for parameters that override the tenant/host (read provider docs + Google dorking on the path pattern using gau for instance)

• Test “signed URL / token / JWT” flows:
  

  • token not properly bound → cross-customer access

• Don’t limit to HTML pages:
  

  • test file download flows (e.g., PDFs)

As always, Impact is king: prove concrete impact (e.g., XSS) vs. arguing about “public content.”

That's it for today, keep hacking

Resources

• The Watson AG Program

• YesWeHack report 2026

• PhoneLeak: Data Exfiltration in Gemini via Phone Call

• 7urb0 Research Review