aydinnyunus
EN | TR

All Posts

  • 11 April 2026 Yunus Aydın

    Finding Security Fixes Without CVE: A Changelog and Commit Pipeline

    Many real security fixes never get a CVE. Maintainers patch a vulnerability, mention it in release notes or commit messages, and move on. If you care about supply-chain risk or tracking silent fixes, those changelogs and commits are a useful but underused signal. In this post I’ll walk through a...

  • 28 February 2026 Yunus Aydın

    Game Hacking 101 Part 2: Memory Analysis with Minesweeper Reverse Engineering

    In the first part of the Game Hacking 101 series, we learned memory manipulation techniques in Mount and Blade Warband. In this second part, we’ll explore more advanced techniques by reverse engineering Minesweeper. We’ll use Cheat Engine for pointer scanning, x64dbg for hardware breakpoints, and memory analysis to decode the...

  • 21 February 2026 Yunus Aydın

    Identifying Coin Scammers: Coin Mixing Analysis with Wallet-Tracker

    Online scams are becoming increasingly common in today’s digital world. From phishing attempts to fake cryptocurrency exchanges, it can be hard to know who to trust. One tool that can help protect yourself from cryptocurrency scammers is Wallet-Tracker. This tool uses the Wallet-Tracker CLI, Neo4j database, and a user-provided scammer...

  • 14 February 2026 Yunus Aydın

    If Nobody Reads Code, Why Not Write in Assembly? So Here's Redis in Assembly

    Everyone’s writing code these days. AI assistants generate functions, classes, entire applications. But here’s the thing: nobody’s reading it. We’re in this weird era where developers can produce thousands of lines without understanding what any of it does. I call it vibe-coding: you vibe with the AI, it writes code,...

  • 24 January 2026 Yunus Aydın

    Cross-Site WebSocket Hijacking in Bokeh: CVE-2026-21883

    During a security review of Bokeh, I found a vulnerability in the WebSocket origin validation logic that allows Cross-Site WebSocket Hijacking (CSWSH). The match_host function in Bokeh’s server code uses flawed hostname matching that can be bypassed by registering malicious subdomains.

  • 17 January 2026 Yunus Aydın

    CVE-2026-22787: Cross-Site Scripting (XSS) Vulnerability in html2pdf.js Library

    A Cross-Site Scripting (XSS) vulnerability has been identified in the html2pdf.js library. The vulnerability exists due to unsanitized user input being directly assigned to the innerHTML property. This allows attackers to execute arbitrary JavaScript code in the context of the application, potentially leading to session hijacking, data theft, and unauthorized...

  • 03 January 2026 Yunus Aydın

    Game Hacking 101: Memory Manipulation in Mount and Blade Warband

    Game hacking opens a window into how games store and manage data in memory. By understanding memory manipulation, you can modify in-game values, experiment with game mechanics, and gain deeper insights into how software works at a low level. In this guide, we’ll explore memory manipulation techniques using Mount and...

  • 27 December 2025 Yunus Aydın

    SQL Injection Vulnerability: Security Issue in GeoPandas to_postgis() Function

    While using the GeoPandas library one day, I noticed something was wrong with the to_postgis() function. User inputs were being directly concatenated into SQL queries. This was a classic SQL injection vulnerability. After finding the vulnerability, I also wrote the fix myself and opened a pull request. In this post,...

  • 20 December 2025 Yunus Aydın

    CVE-2025-66019: LZW Decompression DoS Vulnerability in pypdf Library

    PDF files use various algorithms to compress their content. This compression reduces file size but also carries some security risks. While conducting security research, I discovered a DoS (Denial of Service) vulnerability in the pypdf library’s LZW (Lempel-Ziv-Welch) decompression implementation. In this post, I’ll first explain how the LZW algorithm...

  • 14 December 2025 Yunus Aydın

    PassDetective: Detecting Passwords and Secrets in Your Shell History

    Your shell command history might contain accidentally written passwords, API keys, or secrets. This information is stored in your history files and poses a security risk. PassDetective is a command-line tool that scans your shell history to detect such sensitive information. Available on both Kali Linux and NixOS, this tool...

  • 08 December 2025 Yunus Aydın

    AI-Powered CAPTCHA Bypass: Automating CAPTCHA Solving with GPT-4o and Gemini

    While conducting security research, I wanted to test how effective CAPTCHAs really are. I was curious about how well modern AI models could solve visual and text-based CAPTCHAs. That’s why I developed a tool that uses large multimodal models (LMMs) like OpenAI’s GPT-4o and Google’s Gemini to automatically solve various...

  • 07 December 2025 Yunus Aydın

    exifLooter: Extracting Hidden Location Data from Images

    While using exiftool in OSINT research, I developed exifLooter as an enhanced version that makes it easier to extract GPS coordinates and visualize them on OpenStreetMap. exifLooter is built on top of exiftool and provides a more practical solution, especially for extracting GPS coordinates and visualizing them on maps. Moreover,...

  • 11 April 2022 Yunus Aydın

    Hacking Instagram Scammers

    Security research on Instagram phishing scams. Learn how scammers steal Instagram accounts through phishing websites and how to investigate them using OSINT techniques and XSS vulnerabilities.

  • 07 January 2022 Yunus Aydın

    Bypassing Door Passwords

    Instead of a key, this type of lock system requires a numerical code to grant entry to a facility or property. The code is punched in by users via a numerical pad, similar to those on a basic calculator. If the correct code is entered, the door lock or deadbolt...