I got a Polar H10 chest strap heart rate sensor. Chest strap sensors are the most accurate sensors you can get - Apple Watches are okay but chest straps are the superior option (and relatively inexpensive). I still wear the Apple Watch during exercise for the GPS functionality. There were a few numbers I wanted to measure - my maximum heart rate (MHR) and resting heart rate (RHR). My dad and my brother are both very athletic, and so I was following their guidance on this. These numbers, plus the changes in heart rate depending on my state of activity, allow me to quantify my aerobic fitness. If you’re doing any kind of running training I would strongly recommend getting a chest strap heart rate sensor - you can track your physical health much more accurately. That being said, all I learned from it this week was that I am quite unfit - I wore it to my soccer game, and my recovery between sprints wasn’t very good, but this is thankfully something I can improve by doing light runs in the gym every few days.

If you tuned into the Critical Thinking Charity Hackalong - thank you! We had a few findings across the 10 hours of cumulative hacking we did, and there was consistently 70-100 people online at any time. That’s an impressively large audience. I had a ton of fun doing my 2hr session of hacking (server-side by overwhelmingly popular demand, as they had 4 hours of client side before that) and we found some interesting leads. Again, thank you for tuning in!

I should be at the Manchester meetup on January 31st with the UK Ambassador club. I’m forward to seeing some familiar faces again.

The Hackalong kicked me back into gear for bug bounty. I’ve stopped doing much hacking outside of LHEs, but I miss constructing crazy chains. I want to cook this year, and I don’t want these to be empty words.

Achieving remote code execution in LangSmith Playground using unsafe template formatting: Awesome research from the CTBB lab.

Gift cards security research: This is a pretty great lesson on ROI; most hackers seem allergic to the concept of spending money to make money.

Pwning Claude Code in 8 Different Ways: Ryotak is unstoppable. No, seriously. He’s like some kind of high-power hacker laser-beam that you can target at attack surface to annihilate it.

Breaking Multi-Tenant Isolation in Heroku Postgres: A classic Postgres privilege escalation in Heroku using definer functions.

BodySnatcher (CVE-2025-12420): A Broken Authentication and Agentic Hijacking Vulnerability in ServiceNow: Aaron Costello at AppOmni (my old workplace) found a critical issue in Servicenow within their AI products.

Copilot or Coconspirator - Tricking GitHub Copilot and Stealing all Your Secrets: My friend Adnan Khan with another fantastic piece of research on Github.

Youssef Sammouda dropped EIGHT writeups this week for bugs he found on Meta. This is must-read content; Youssef is a client-side master.