WhatsApp Exposes User Data 📱, Next.js PenTesting Guide 💻, Windows Integrates Sysmon 🪟

Austrian researchers discovered that all 3.5B WhatsApp users can be enumerated. Meta implemented rate limiting to address this issue ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-11-20 On-demand 1Password webinar: Behind the scenes of Reddit's cybersecurity (Sponsor) You come to Reddit for expert recommendations. Now hear from the security experts working at Reddit, and learn how they're securing access for their team. In this webinar, Reddit's Sr. Manager of Enterprise Security & Systems, Nick Fohs, shares the inside story of how his team used 1Password to manage credentials across the entire company. You'll get a first-hand look at the problems they faced and the impact 1Password has had on security and efficiency. Watch now 🔓 Attacks & Vulnerabilities RondoDox Botnet Malware Now Hacks Servers Using XWiki Flaw (2 minute read) The RondoDox botnet is exploiting a flaw in the XWiki SolrSearch endpoint, using crafted HTTP GET requests to inject base64-encoded Groovy payloads that download and execute malware. The campaign appears to reuse previously identified infrastructure, meaning existing IOC blocklists should effectively mitigate the threat. WhatsApp Security Flaw Exposes 3.5B Users' Data From 'Basic Publicly Available Information' (2 minute read) Austrian researchers discovered that all 3.5B WhatsApp users can be enumerated at a rate of 100M users per hour. The researchers used the WhatsApp Web interface to bulk add users and phone numbers and were able to extract phone numbers for all users, profile photos for 57% of users, and profile text for 27%. Meta implemented rate limiting to address this issue, but also stated that the data exposed was basic publicly available information. W3 Total Cache WordPress Plugin Vulnerable to PHP Command Injection (2 minute read) WordPress security company WPScan discovered a vulnerability in the W3 Total Cache plugin that enables unauthenticated attackers to execute code by posting a comment with a malicious payload. A patch is available. WPScan is withholding proof-of-concept details until November 24 to give site owners time to update. 🧠 Strategies & Tactics Next.js Security Testing Guide for Bug Hunters and Pentesters (10 minute read) Deepstrike released a detailed security guide covering common pitfalls in Next.js applications, noting that while the framework includes strong default protections against template injection and XSS, developers can introduce risk through unsafe patterns like dangerouslySetInnerHtml or third-party templating engines. The guide highlights additional attack surfaces, including SSRF via the image optimization pipeline or misconfigured server actions. ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet (25 minute read) ShadowRay 2.0 is a malware campaign targeting Ray, a popular open-source AI framework, to hijack powerful computing clusters and convert them into a global, self-propagating botnet. Attackers exploited legitimate orchestration features within Ray, enabling them to orchestrate compute jobs, steal data, launch DDoS attacks, and autonomously spread across organizations. Attackers quickly weaponized unpatched flaws and misconfigurations in Ray clusters that were mistakenly exposed to the internet. SupaPwn: Hacking Our Way into Lovable's Office and Helping Secure Supabase (23 minute read) SupaPwn is a multi-stage exploit chain affecting outdated Supabase environments, where weaknesses in privilege controls, host configurations, and cloud credential handling allowed attackers to escalate far beyond expected tenant-level permissions, even reaching infrastructure belonging to other customers. AI tooling accelerated reconnaissance and exploit development, helping researchers validate the chain quickly. Supabase and Lovable patched all affected systems within a day, limiting impact to a small set of outdated deployments. 🧑‍💻 Launches & Tools 49% of dependencies imported by AI agents have known vulnerabilities, and 34% don't actually exist (Sponsor) The latest research from Endor Labs analyzed 10,663 GitHub repositories implementing MCP servers, along with large-scale testing of AI-generated dependency recommendations across major ecosystems. Download the report to see how AI coding agents are introducing a new layer of software supply chain risk. Get the 2025 State of Dependency Management report DetonatorAgent (GitHub Repo) DetonatorAgent is a cross-platform Web API for detonating malware on VMs and collecting EDR logs. AI-Powered CAPTCHA Solver (GitHub Repo) AI-Powered CAPTCHA Solver is a Python CLI tool that uses LLMs to automatically solve various types of CAPTCHAs using an embedded Selenium browser. Mate (Product Launch) Mate uses AI agents and reasoning models to automate security incident investigation and response in SOCs, reducing false positives and MTTR and enabling the SOC to learn and improve continuously. 🎁 Miscellaneous Cloudflare Outage on November 18, 2025 (12 minute read) Cloudflare has released its postmortem on the November 18 outage. The incident was traced to a database permissions change that caused oversized Bot Management feature files to be generated. Those files triggered repeated module crashes and widespread 5xx errors. The team initially suspected a DDoS attack, which delayed diagnosis and remediation. ServiceNow AI Agents Can Be Tricked Into Acting Against Each Other via Second-Order Prompts (3 minute read) ServiceNow's Now Assist AI agents can be manipulated through second-order prompt injection, where instructions passed between agents trigger unintended actions. Attackers can use this to escalate privileges, steal data, or redirect workflows. ServiceNow claims the behavior matches expected agent chaining, but organizations are urged to monitor agent interactions and harden guardrails. Tens of Thousands More ASUS Routers Pwned by Suspected, Evolving China Operation (3 minute read) A major cyber campaign dubbed "Operation WrtHug" has compromised around 50,000 outdated ASUS routers across Taiwan and Southeast Asia by chaining six known vulnerabilities. The activity resembles prior Chinese-linked campaigns. Researchers suspect the operation could support espionage, distinguishing it from traditional botnets by its stealthy data theft behavior. ⚡ Quick Links Chat with a deepfake of your boss (Sponsor) Adaptive Security—backed by OpenAI and a16z—stops AI powered social engineering through deepfake simulations, training, and risk scoring. Want to chat with a custom interactive deepfake of your boss? Book a demo Thunderbird Adds Native Support for Microsoft Exchange Accounts (2 minute read) Thunderbird 145 now includes native Exchange Web Services (EWS) support, allowing users to add Microsoft Exchange accounts without relying on third-party extensions. Microsoft to Integrate Sysmon Directly Into Windows 11, Server 2025 (2 minute read) Microsoft announced that it will integrate the popular Sysmon tool directly into Windows 11 and Server 2025 next year. Five Eyes Just Made Life Harder For Bulletproof Hosting Providers (2 minute read) The US, UK, and Australia jointly sanctioned Media Land, a Russia-based bulletproof hosting provider accused of supporting major ransomware groups, including LockBit, BlackSuit, and Play. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.