A guide on how to do fuzzing with AFL++ in an attempt to rediscover the libwebp vulnerability CVE-2023-4863 that was used to hack iPhones.
Watch webp Part 1: 2024-01-22 14:26:34 +0000 UTC
View Post
Citizenlab discovered BLASTPASS, a 0day being actively exploited in the image format WebP. Known as CVE-2023-4863 and CVE-2023-41064, an issue in webp's build huffman table function can lead to a h...
2023-12-21 15:58:33 +0000 UTC
View Post
2023-11-25 13:23:15 +0000 UTC
View Post
Follow me down the rabbit hole into the wonderful world of IT security.
Tweets:
htt...
2023-11-20 19:12:43 +0000 UTC
View Post
Not every security issues can be fixed. There exist (what I call) "unfixable" bugs, where you can always argue and shift the goal posts. The idea is to only report these kind of issues to create an...
2023-10-17 12:34:56 +0000 UTC
View Post
Let me explain to you what you can learn from these tweets. Did you know the name trick?
Quote Tweet: 2023-09-19 12:31:31 +0000 UTC
View Post
Let's explore the "most exciting" CPU vulnerability affecting Zen2 CPUs from AMD.
In case you missed it, here is part 1 about fuzzing CPUs: 2023-08-29 15:36:54 +0000 UTC
View Post
How did Tavis Ormandy fuzz CPUs to discover Zenbleed? In this video we learn about the techniques to make this work!
2023-08-18 13:00:12 +0000 UTC
View Post
Watch me go out of my comfort zone and talk to strangers O.O...
I attended droidcon Berlin 2023 and interviewed some developers about what they know about Android security. Thanks again to ev...
2023-08-01 13:46:55 +0000 UTC
View Post
Let's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an e...
2023-07-22 14:04:59 +0000 UTC
View Post
Sergey Toshin tells us the story of how he became a top Android bug hunter and how he finds critical vulnerabilities. He also shows us a really cool vulnerability found in the Google Android Snapse...
2023-07-13 14:53:08 +0000 UTC
View Post
I stumbled over a weird HTML behavior on Twitter and started to investigate it. Did I just stumble over a generic HTML Sanitizer bypass?
Every year Google celebrates the best security issues found in Google Cloud. This year we take a look at the 7 winners to see if we could have found these issues too. Will I regret not having hacke...
2023-06-22 16:16:43 +0000 UTC
View Post
I stumbled over some WordPress code involving caching. Immediately I had this idea about MD5 collision and how this could affect the implemented logic. I started going down a rabbit hole exploring ...
2023-06-11 15:05:56 +0000 UTC
View Post
Lots of #bugbountytips get posted on twitter, but some of them are ... weird. Let's explore the technical details of one tweet to understand where this tip came from, why this tip was wrong, and ev...
2023-05-31 13:39:50 +0000 UTC
View Post
In this video I show you my YouTube financials and tell you about a new project I have been working on: hextree.io
FYI to all Patreon members, I have not charged you for this video becaus...
2023-05-22 14:15:52 +0000 UTC
View Post
After we explored attacking LLMs, in this video we finally talk about defending against prompt injections. Is it even possible?
Watch the complete series: 2023-05-11 21:08:24 +0000 UTC
View Post
In this video we explore various prompt tricks to manipulate the AI to respond in ways we want, even when the system instructions want something else. This can help us better understand the limitat...
2023-04-27 15:49:21 +0000 UTC
View Post
How will the easy access to powerful APIs like GPT-4 affect the future of IT security? Keep in mind LLMs are new to this world and things will change fast. But I don't want to fall behind, so let's...
2023-04-14 17:01:19 +0000 UTC
View Post
Copilot, ChatGPT and other AI models become a threat to hackers. We rely on insecure code, but when all developers moved over to code generated by AI, we will lose our job. We need to act fast!&nbs...
2023-04-01 08:32:40 +0000 UTC
View Post
In the news, cybercrime is often mentioned in connection to "hacking". Also when accounts get stolen, people say "my account got hacked". But is this really hacking? How does cybercrime actually lo...
2023-03-20 17:20:47 +0000 UTC
View Post
While auditing a VSCode Extension + Language Server I noticed something interesting. This turned into the research question "can we attack the extension from the browser?". After a bit of prelimina...
2023-03-11 17:07:14 +0000 UTC
View Post
There exists a pretty cool teleport hack that I couldn't discover myself. So I decided to steal it and share it with you all!
2023-03-03 18:56:38 +0000 UTC
View Post
What is a secure "tunnel"? When I started to learn about computers the name confused me. I couldn't imagine how it works on a technical level. In this video we build upon knowledge from the previou...
2023-02-17 15:13:09 +0000 UTC
View Post
In this video we investigate the comments' claims that there exists an arbitrary velocity exploit in Minecraft. We look into the code and see if that is true.
2023-01-31 15:24:12 +0000 UTC
View Post
In this video I try to explain computer networking with pieces of paper. This hopefully explains why in some universities the OSi layer model is taught. While I find the OSI model kinda useless, "t...
2023-01-01 17:30:10 +0000 UTC
View Post
Everybody told me the cat coordinate exploit/leak was already known. However this does not seem to be true, I tested it by logging packets.
2022-12-23 14:47:39 +0000 UTC
View Post
The term "protocol" can be really confusing. In this video I try to explain to my former self what it means to have a protocol.
2022-12-13 16:33:01 +0000 UTC
View Post
Let's talk about how we can implement a reach hack in minecraft. After knowing how it works, it seems so obvious. But it took me over 14h to figure out myself :D
2022-11-28 15:35:26 +0000 UTC
View Post
I tried to hide a new base far away, but players quickly found it. Let me tell you how they did it.
2022-11-20 16:23:56 +0000 UTC
View Post