Skip to main content

About Sociosploit

In the wake of all the recent controversy surrounding social media exploitation (Cambridge Analytica scandal, "fake news" dissemination, election meddling, etc.), we have concluded that a more thorough investigation is warranted to understand the risks associated with everyday use of social media. And so, Sociosploit was born. Sociosploit is an academic research foundation focused specifically on understanding security risks and exploitation potential of the social web. Particular topics that we will be addressing include:

  • Information Security
  • Privacy
  • Misuse of Social Network Platforms
  • Social Engineering

We are staunch supporters of a free and open internet. We believe that people's data is their own, and that a well-informed populace, which understands the risks and means to safeguard themselves, is the best way to ensure that the data held by social networks is not misused, mishandled, or exploited in ways that were not formerly intended by the data owners (i.e. the users). It is our mission that, through this platform, we can increase that awareness for our readers.

Our Team

Hutch -- Founder / Security Researcher
Hutch has a Master's degree in Information Systems and multiple information security certifications to include OSCP, GPEN and GWAPT. Hutch started his information security career in the United States Air Force, and now oversees the execution of red team assessments, penetration tests, and attack simulations in a security consulting role.

JB -- Security Researcher
After graduating from Adams State University in 2017, JB worked as a recruiter supporting Houston's oil and gas industry. However, he knew that it was only temporary, and that he wanted to have a career that touched his knack for problem solving. In October of 2019 he quit his job as a recruiter so that he could pursue a career in software engineering. In JB's free time he writes music, volunteers as an ice skating coach for children with disabilities, and enjoys a good hike outdoors. If you’re looking for JB, it’s a safe bet he’s at the ice rink, at the gym, or at his desk hammering out walls of code.


  1. Hi there, how can we talk about your blog? Could you write me by e-mail?


Post a Comment

Popular posts from this blog

Another "Fappening" on the Horizon?

So in case you aren't fully up-to-speed on useless hacker trivia, "The Fappening" (also sometimes referred to as "Celebgate") was a series of targeted end-user cyber attacks which occurred back in 2014 (which strangely feels like forever in tech years), that resulted in unauthorized access to the iCloud accounts of several prominent celebrity figures.  Following these breaches, photographs (for many including personal sexually explicit or nude photos) of the celebrities were then publicly released online.  Most evidence points to the attack vector being spear phishing email attacks which directed the victims to a fake icloud login site, and then collected the victim's credentials to subsequently access their real icloud accounts.

Migration to MFA In response to these events, Apple has made iCloud one of the very few social web services that implements compulsory MFA ("Multi-Factor Authentication").  But while they might be ahead of the industry in…

Bypassing CAPTCHA with Visually-Impaired Robots

As many of you have probably noticed, we rely heavily on bot automation for a lot of the testing that we do at Sociosploit.  And occasionally, we run into sites that leverage CAPTCHA ("Completely Automated Public Turing Test To Tell Computers and Humans Apart") controls to prevent bot automation.   Even if you aren't familiar with the name, you've likely encountered these before.
While there are some other vendors who develop CAPTCHAs, Google is currently the leader in CAPTCHA technology.  They currently support 2 products (reCAPTCHA v2 and v3).  As v3 natively only functions as a detective control, I focused my efforts more on identifying ways to possibly bypass reCAPTCHA v2 (which functions more as a preventative control).
How reCAPTCHA v2 WorksreCAPTCHA v2 starts with a simple checkbox, and evaluates the behavior of the user when clicking it.  While I haven't dissected the underlying operations, I assume this part of the test likely makes determinations about t…

Twitter Remote Access Trojan (Twittersploit)

Developed a malware sample that leverages Twitter direct messaging as a channel for command and control.
Web Service Command and Control Have recently been structuring a lot of my penetration testing efforts around the MITRE ATT&CK framework. One technique that specifically caught my attention while doing an assessment based on the Command & Control (C&C) section was the T1102 - Web Service C&C technique. It references multiple malware samples that leveraged Twitter as a C&C channel. These samples included: CozyCarHAMMERTOSSMiniDukeOnionDuke This technique proved to be uniquely effective for a few reasons: Traditional C&C Channels Blocked - Many organizations are now taking a (quasi) white-listing approach to URL filtering (i.e. blocking unclassified site categories), thereby blocking hastily established C&C channels over HTTP(S)Web Service Availability - More and more organizations are opening up corporate infrastructure to social media web services (such as…