Home
Recommended
Other Links
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Dataflow Security blog
From White House staff to battlefield journalists, instant messaging (IM) applications are indispensable communication tools for countless individuals. Whether it’s WhatsApp, Telegram, WeChat, or QQ, they have become the “digital arteries” of modern society, carrying core activities such as social interaction, payments, and office work for billions of users. Their security directly affects personal privacy, financial assets, and even national security.
In fact, security research on IM platforms has been ongoing for years. In 2019, Project Zero disclosed CVE-2019-8641 in iMessage[1], a memory corruption issue. Since iMessage automatically parses rich media content in messages, an attacker could achieve remote code execution by sending a specially crafted file without user interaction, gaining complete control over the target iPhone.
As part of my internship at STAR Labs, I was tasked to conduct N-day analysis of CVE-2023-6241. The original PoC can be found here, along with the accompanying write-up.
In this blog post, I will explain the root cause as well as an alternative exploitation technique used to exploit the page UAF, achieving arbitrary kernel code execution.
The following exploit was tested on a Pixel 8 running the latest version available prior to the patch.
Dataflow Security blog
TL;DR ¶ Go has now standardised iterators. Iterators are powerful. Being functions under the hood, iterators can be closures. The classification of iterators suggested by the documentation is ambiguous. Dividing iterators into two categories, “pure” and “impure”, seems to me preferrable. Whether iterators should be designed as “pure” whenever possible is unclear. The advent of iterators in Go ¶ The iterator pattern was popularised by the classic “Gang of Four” book as
[providing] a way to access the elements of an aggregate object sequentially without exposing its underlying representation.
Posted by Mateusz Jurczyk, Google Project Zero In the previous blog post , we focused on the general security analysis of the registry a...
### Summary
Operator has [several safety checks](https://platform.openai.com/docs/guides/tools-computer-use#acknowledge-safety-checks) through user confirmation to mitigate Indirect Prompt Injecti...
Introduction We are back with Round 2 of the Off-By-One conference — where bits meet breadboards and bugs are celebrated! 🐛⚡
If you are into hardware and IoT security, you’ll know one thing’s for sure: the STAR Labs SG badge is not your average conference bling bling. This year’s badge isn’t just a collector’s item — it’s a playground for the curious, packed with new challenges inspired by months’s worth of research and hackery.
See how we addressed the challenges of securing our SAML implementation with this behind-the-scenes look at building trust in our systems.
A little bit ago I re-installed the racing game Trackmania, and I noticed I got product ads displayed at me in-game alongside the racetrack. Where were those coming from?
See how a vulnerability in the Arm Mali GPU can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled.
Posted by Mateusz Jurczyk, Google Project Zero In the first three blog posts of this series, I sought to outline what the Windows Regi...
As we envisioned in DARKNAVY INSIGHT | The Most Imaginative New Applications of 2024:
The next generation of AI agents will have excellent reasoning and generalization abilities and be skilled at using a variety of security research tools, inheriting a wealth of human expert knowledge. They will be able to discover more 0-day vulnerabilities in the real world, like top security experts.
Unsurprisingly, as Large Language Models (LLMs) demonstrate increasing proficiency in handling complex tasks, Agent technology is emerging as a new paradigm in the field of vulnerability discovery. Since Google Project Zero released Naptime[1] last year, an increasing number of Agent-based auditing tools are appearing. By providing LLMs with the necessary toolsets and source code for testing, these tools simulate the behaviour of security researchers to perform code audits and vulnerability confirmation.
In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API ̵…
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Discover how an impersonated GenAI Tool led victims to download a fake media file concealing Windows executables
### Intro
This is the official solution post for my Intigriti May 2025 XSS challenge, Confetti. I will try to explain the intended path and some background theory. I must admit that I don’t know the inner workings of Chrome and Firefox well enough to guarantee that all my explanations are...
Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
May 20 2025 @ 2:59 AM
William Charles Gibson
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
The built-in “MareBackup” scheduled task is susceptible to a trivial executable search order hijacking, which can be abused by a low-privileged user to gain SYSTEM privileges whenever a vulnerable folder is prepended to the system’s PATH environment variable (instead of being appended).
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend - Ivanti, and their Endpoint Manager Mobile (Ivanti EPMM) solution.
For those out of the loop, don’t worry - as always, we’re here to fill you in.
Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for s
### Summary
An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [[source](https://github.com/mirror/vbox/blob/74117a1cb257c00e2a92cf522e8e930bd1c4d64b/src/V...
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode.
The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism.
An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer.
CVE-2025-32464 is a vulnerability in HAProxy 2.2 up to 3.1.6-d929ca2 which allows an attacker to perform a DoS attack exploiting specific usages of the regsub converter. It cause a heap buffer overflow, making the whole HAProxy pool of workers crash. Given the nature of the vulnerability, a scenario where this vulnerability can be abused in order to obtain RCE is not feasible, nevertheless, we recommend checking whether you are using the regsub converter in your HAProxy configuration and updating whenever possible.
# Open-source toolset of an Ivanti CSA attacker
In recent incident responses where the root cause was an Ivanti CSA compromise, Synacktiv's CSIRT came across multiple open-source tools used by threat actors. This article dives into each of these tools, their functionalities and discusses efficient...
Guest post by Dillon Franke, Senior Security Engineer , 20% time on Project Zero Every second, highly-privileged MacOS system daemons...
# SCIM Hunting - Beyond SSO
08 May 2025 - Posted by Francesco Lacerenza
## Introduction
Single Sign-On (SSO) related bugs have gotten an incredible amount of hype and a lot of amazing public disclosures in recent years. Just to cite a few examples:
- Common OAuth Vulnerabilities
- Sign in as...
Please visit status.squarespace.com for updates
403 Forbidden 403 Forbidden Please visit status.squarespace.com for...
It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email.
In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution against yet another enterprise-targeting product - specifically, SysAid On-Premise (version 23.3.40) here-on referred to as “SysAid”.
Clarifying SysAid’s Product Lineup
Although
Despite shutting down, Inferno Drainer has returned with a sophisticated phishing campaign abusing Discord and targeting crypto users
How to find XXE in CodeQL using CodeQL – unintended CTF challenge solution.
Deep-Dive on how ChatGPT profiles your account and how it can reference it during conversations
Model Context Protocol -- MCP Server for Hosting COM Servers
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic FirmState: Bringing Cellular Protocol States to Shannon Baseband Emulation (to appear) Suhwan Jeong , Beomseok Oh , Kwangmin Kim , Insu Yun , Yongdae Kim , CheolJun Park June 2025 Cite Publication Proceedings of the...
Model Context Protocol -- Exploits, Risks and Mitigations
I've been using Asahi Linux for a couple of months now, and I'm pretty happy
with it. There are of course some minor issues, mostly software not being available
there, like Signal (thanks opensuse for providing
builds). Today's
papercut is Burp Suite being laggy and eating a
worryingly high amount...
Another day, another edge device being targeted - it’s a typical Thursday!
In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while.
Specifically, today, we’re going to be analyzing and reproducing:
* CVE-2024-38475
In this post, I challenge you to refactor a small function in such a way as to make it inlinable and free of bounds checks, for better performance.
Disclaimer: this post assumes version 1.24.2 of the (official) Go compiler; you may get different results with other versions of the Go compiler or with other implementations of the Go language.
Function inlining & bounds-check elimination ¶ Some familiarity with function inlining and bounds-check elimination is a prerequisite for attempting my challenge. The following three sections serve as a crash course on those topics. Feel free to skip straight to the challenge itself.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Artificial intelligence is rapidly reshaping the cyber security landscape—but how exactly is it being used, and what risks does it introduce? At Check Point Research, we set out to evaluate the current AI security environment by examining real-world threats, analyzing how researchers and attackers are leveraging AI, and assessing how today’s security tools are evolving […]
Control characters like SOH, STX, EOT and EOT were never meant to run your code - but in the world of modern terminal emulators, they sometimes do. In this post, I'll dive into the forgotten mechanics
As logistics drones weave through buildings and surveying equipment delineates urban landscapes, the capillaries of the low-altitude economy are sketching the future with millimeter-level precision.
DARKNAVY consistently focuses on the construction and breaching of drone security defenses. In this research, we discovered a fatal exploit chain in DJI remote control devices, leading to the complete compromise of the security defenses within the DJI remote controller. How can we assist industry leader DJI in fortifying its security defenses? What potential risks do these vulnerabilities reveal? Welcome to read this article.
3D printing test probe harnesses on decade old printers, and you can too!
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will.
No heist story is ever complete without a 10-metre thick steel door vault, silent pressure sensors beneath marble floors and laser grids slicing the air like spiderwebs — befitting of a crew reckless enough to think they can beat it all.
Enterprises continue
The history of humanity’s domestication of wolves has spanned forty thousand years – we used firelight and patience to soften the wildness in their eyes, transforming their fangs into the loyalty that guards our homes.
When various robot dogs created by America’s Boston Dynamics and China’s Unitree Robotics leap and flip gracefully under the spotlight, this ancient symbiotic relationship seems to take on a new meaning in the cyber age: trust that once required thousands of years of genetic selection to build can now be achieved with just a line of code.
Tired of repeating yourself? Automate your web security audit trail. In this post I'll introduce a new Burp AI extension that takes the boring bits out of your pen test. Web security testing can be a
