I've seen a TON of ways to fuck up Docker/OCI image builds and leak build context, secrets, etc. but I just reported one to a vendor that I've never seen before: they leaked a GitHub PAT through the build _provenance attestation_ and they'd been leaking multiple tokens for a few years (!). Wild.

Aaaaand Firebase claims another one. The misconfig rate for Firebase/appspot buckets and Firestore DBs has gotta be one the worst for a "turnkey" system.

Today I'm publishing my writeup about a number of security issues I reported last September to Zigazoo, the self-described "World's Largest Social Network for Kids!". Impact included access to all user records, uploaded media (inc deleted items), account escalation, and user impersonation.

jazz is the brown notes you _don't_ play