1 Month Claude AI - A Report... of Progress

Hey everyone!

My 30-day trial of the Claude Max 20x subscription, sponsored by DHF and with the kind support of Hive account@deathwing, ended today, and I’d like to share here everything I was able to accomplish over the past 30 days. The past month has been really exciting, and I’ve been able to significantly expand my knowledge of application security through the use of AI and the results generated during my sessions.

_{Image made in Chat GPT Image 2.0 / released roughly 24 hrs ago - context - this entire article - lol}

First things first—in this report, I’ll barely touch on any details—security is always my top priority in the HIVE ecosystem, so I’m trying as much as possible not to delve too deeply into the subject… because there’s still a lot of work ahead of us. A HIVE workgroup would be helpful!

Okay, let’s get started—for some of the findings, I had to draw on my years of experience in the HIVE ecosystem, because as a security tester, you sometimes have to think outside the box to uncover additional bugs. Here’s what comes to mind today regarding each project:

---

VSC - Magi

I reviewed the frontend and the contracts and found a few issues. I reported them to the team immediately, and they were addressed right away during the project’s development phase. The collaboration was excellent—but I don’t want to go into further detail here.

Actifit

A frontend I don’t use very often—in fact, hardly ever—but it’s still a frontend used by some users in the Hive community. Here, I was able to uncover several XSS vulnerabilities and report a CSS injection vulnerability. The team responded immediately and fixed the bugs. I also found credentials that exposed private API keys from external services—these keys were then swapped out and are now hidden behind a .env file—the issue here was a misconfiguration of the web app. Furthermore, I was able to gain elevated privileges and leave a message in every user’s wallet as the Actifit account. Demonstrated—reported—fixed! That’s how it’s done!

Thanks for fixxing! <3

PeakD & PeakD-Related Projects

During this period, I was able to uncover quite a few issues and report them directly to the great Hive account@asgarth. Since we’ve known and respected each other for a very long time, our collaboration has been incredibly smooth—one of the best experiences I’ve had across all my projects. On PeakD itself, I discovered a private information leak—due to an image proxy that wasn’t configured very well. I’m currently working on a specific type of prompt injection, which will likely keep me busy for a few more weeks. Furthermore, I found and reported an XSS vulnerability in one of PeakD’s projects. And to top it all off, I was able to launch a CSS injection attack—I only tested it on my own profile. It was fixed immediately! And kind words like “that people hate and love me at the same time” show me that I’m doing everything right. PeakD Love <3 <3 <3

Ecency.com

I’ve always felt very comfortable with Ecency—over the years (and I’ve checked it time and time again), I really couldn’t find any major flaws or bugs. But my inner voice kept telling me, “There’s gotta be something.” So I just gave the Claude AI a little more Hive-related context and told it to try a bit harder ;) No sooner said than done! I found a case where a Top 50 Witness wrote something specific about their Witness, which caused the Ecency subpage displaying the Witnesses to crash. Reported—fixed! That took care of the Server Error 500 on the Witness page for the time being... but shortly after, I was able to point out even more errors in the Ecency code to the good folks at Hive account@good-karma. As a result, at least two additional XSS vulnerabilities were fixed, one of which was very deeply hidden and couldn’t really be exploited easily—but better safe than sorry, so it was fixed.

Hive.Blog

I’ve already written an article about my findings and research on Hive.Blog. Long story short -> Multiple XSS vulnerabilities – Using specially crafted prompts, I was able to trick the system into thinking I had an X (Twitter) or Reddit embed that didn’t actually exist but was still rendered in the frontend. I’d also like to extend my heartfelt thanks to Hive account@gtg / Hive account@gandalf, who took my report seriously in the middle of the night and deployed the fixes directly to the frontend.

Pevo.Science

A project by Hive account@pharesim that is currently in development, and I’m offering my help here. No significant details to share—I simply conducted and delivered a comprehensive security audit.

Hive Engine / Tribaldex / Hive Outposts

For now, at least, I was able to report an information leak bug here, which is apparently currently being investigated. But I have a lot more to report—I have some concerns, particularly regarding the Hive Outposts (a paid feature that lets you have your own frontend for your token). I think the founder Hive account@aggroed—developers Hive account@reazuliqbal / Hive account@eonwarped—might want to get in touch with me about this.

Inleo

(Not interested in working with me but owner are free to get in contact with me)

Snapie

Private Information Leak - Fixxed! Thanks Hive account@meno and your AI Buddy!

And many many more...

I was able to find all of this—and certainly a few things I’ve forgotten—in 30 days using Claude AI, and I was also able to delve deeper into it and report on it by investing a significant amount of my own time. It’s pretty obvious that the AI takes a lot of the work off my hands here—on the other hand, I spend several hours a day on it and have to incorporate the Hive Blockchain factor into the reports and, of course, test it myself—and yes, that takes time.

---

Many of the projects mentioned above have also shown their appreciation and recognized that my time and my work in general are valuable to the Hive community. Since I don’t want to create a Hive DHF proposal for this work, I’ve set up 5 different subscriptions (basically simple recurring payments in HIVE using HBD), where project operators can show their appreciation, but also smaller plans where any Hive user can subscribe if they like what I’m doing for the blockchain.

Current status of my subscriptions compared to a DHF proposal:
At this point, the amount you’re willing to donate would be approximately $2.50 per day.

You can view my store here and subscribe if you’d like:

@louis88/shop

---

Keep Going!

Of course, I don’t want to stop—I’ve gotten a taste for it—and I’d like to request additional funding for a Claude subscription. But I’d like to try out whether 3 months of Claude 5x might be better for me than 1 month of Claude 20x, since I usually work in bursts and don’t always have the AI running 24/7—after all, a human still has to check what comes out of it—and there’s real life to consider too ;)

So Hive account@deathwing, I’d like to try out whether a 5x plan might be more cost-effective. If you have any questions—you know where to reach me.

Thanks Community!

I would like to thank those with whom I have worked closely over the past 30 days:

Hive account@asgarth, Hive account@gtg / Hive account@gandalf, Hive account@blocktrades, Hive account@pharesim, Hive account@howo, Hive account@guiltyparties, Hive account@meno, Hive account@themarkymark, the entire Hive account@worldmappin team, Hive account@lordbutterfly and the Magi Team, Hive account@stoodkev Hive account@sagarkothari88 Hive account@forykw Hive account@tibfox Hive account@mcfarhat Hive account@actifit Hive account@good-karma / Hive account@ecency Hive account@rishi556 and a bunch of more!