MonkeHacks #91
A friend of mine from Osaka was staying with me in Edinburgh this week, and I travelled with him down to London. My friend is a freelancer - more specifically, he works in the sustainability industry, and his main ongoing project is Igusabi - a startup aiming to use the leftover rush grass from the tatami production process to create other products such as furniture and clothes. I visited the Mills Fabrica, a coworking space near Kings Cross station specialising in sustainability, and later on we met my friend’s friend as well, who is building a startup for renting houses and apartments in western Ukraine. I really enjoy learning about what other people are working on.
The day after that, I flew to Copenhagen to visit some friends. I almost lost contact with one of my good friends living there, but I went on a fun side-quest to track him down. He had changed his phone number from a Japanese number to a Danish number, so my WhatsApp messages no longer reached him. I knew he used to go to a particular darts bar often, so I went to that bar and asked about him, and they had his Instagram account! So I was able to contact my friend again. I’m quite proud of that, as I could’ve lost contact forever if I hadn’t made that effort to reconnect. I flew back home to Edinburgh on Saturday.
Flying to Copenhagen from Heathrow Airport in London.
Weekly Ideas / Notes
I read the (relatively short 200-page) entirety of Rework by DHH and Jason Fried this week. Absolutely excellent book about business and running a company and things like that. The core message boils down to doing your own thing and not getting swept along with the startup fever, and focusing on what’s actually valuable, not just what people tell you is valuable. Anyhow, I highly recommend this book. It’s the type of content you want to shove into an LLM to keep yourself on track. I might do that.
I read The Internet Just Watched Tony Robbins Try to Save Alex Hormozi's Soul and it’s quite insightful and profound. Highly recommended, I think we, as bug bounty hunters / hackers, tend to fall into this scoreboard trap too easily.
It’s been a very slow month of hacking for me. Hopefully things pick up a bit in February. I still have 4 days to find some cool stuff, though, so I might lock in a bit and grind out some bugs.
I hate taxes. That is all. I’ve been knuckling down on the admin work I’ve been procrastinating on, and I’m caught up on nearly everything now, but it was such a hellish process that I’ll almost certainly vibe-code something to remove the friction involved.
I’ll be dropping something very fun this week. Stay tuned.
Reading List
Title | Pages | Author |
|---|---|---|
The Night Circus | 130/512 | Erin Morgenstern |
Solenoid | 130/600 | Mircea Cărtărescu |
A Random Walk Down Wall Street | 150/300 | Burton Malkiel |
How The World Made The West | 265/400 | Josephine Crawley Quinn |
Founders At Work | 190/472 | Jessica Livingston |
Resources
Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass): Nice technical writeup on RCE in SmarterTools SmarterMail.
Stealing Salesforce OAuth Tokens using the WAF: Castilho weaponised Cloudflare’s WAF to prevent the OAuth flow from consuming the code. Very clever trick.
hacking clawdbot and eating lobster souls: Some misconfigurations in clawdbot, namely publicly exposed dashboards and such. Pretty serious.
Cloudflare Zero-day: Accessing Any Host Globally: This is a type of vulnerability I really like - a routing misconfiguration. It’s a good read.
Summary of CVE-2026-23864: More React vulnerabilities, some of which were found by the legendary Ryotak.