Sign in with Twitter

Username:

security ninja wannabe

384 Following   8,456 Followers   5,263 Tweets

Joined Twitter 8/1/07


@ChrisJohnRiley So you're saying there's a chance?
2/27
2020
@arw @Aissn @_tsuro @_2can @sherl0ck__ @XI_Research Thanks! @_2can @_tsuro @sherl0ck__ Fork Chrome, or delay patches, have security issues. Such surprise. @Aissn @_tsuro @_2can @sherl0ck__ @XI_Research @_tsuro do you know if Chrome is willing to open a bug? Locking it d… https://t.co/MqZU2IjgwzWanna join a team of world-class security engineers? My Team is looking for a web security expert to lead the effor… https://t.co/xu1e4ZLwfi
Retweeted by koto @liran_tal This doesn't look like env vars.
2/26
2020
Criticism wasn't a "bug", it was: Nord sat on the breach for 9+ months without disclosing; attacker came through ho… https://t.co/nxFOO0CnVJ
Retweeted by koto
2/24
2020
@craigfrancis That was a bug: https://t.co/ElvgV9dTE1. We'll be porting the fix back to 81.
2/21
2020
https://t.co/302pktIyRz Want to make a difference and help improve the security for billions? The Web PKI needs yo… https://t.co/Nne7lv1tny
Retweeted by koto
2/20
2020
@svblxyz That was me, sorry. Typo in the payload. Carry on!
2/19
2020
Still a bit sad that script gadgets didn't make the cut last year (https://t.co/lFRGpWYGEI) but glad that #XSLeakshttps://t.co/0LIsrHg9mp
Retweeted by koto
2/18
2020
Project zero guest blog post: "Escaping the Chrome Sandbox with RIDL" by Stephen Röttger (@_tsuro)-- https://t.co/VGXWGTIzy6
Retweeted by koto
2/15
2020
I'm quitting infosec to become a member of the scene of the day and I will be there in the morning to see if you ha… https://t.co/PwvT4ltOB7
2/14
2020
@craigfrancis @mikewest @mvsamuel The correct link is https://t.co/7G3DWHrojv, we're championing that in TC39. But… https://t.co/GESzfAysRE @svblxyz The only thing safe to drop is 0days.This utter crap is being distributed through schools from the 'local authority' so presume @WalsallCouncil today. T… https://t.co/DatE9xFE2B
Retweeted by kotoYou thought <template>s are well-behaving inert containers? That scripts underneath it would not execute? Think aga… https://t.co/7R5wVeefEU
2/13
2020
@stommepoes Unless it was rigged by CIA :) @liran_tal https://t.co/eW1P7uggo3After the crypto ag revelation, I'm slowly preparing for the worst ;) https://t.co/ss0foXNisq https://t.co/rGCAZCk0Ak @_thomaskonrad @PhilippeDeRyck It's not. We had an integration, but had to trash it because of Angular moving to Iv… https://t.co/fW945zooBz @EmanuelTesar Dropbox has a sync folder (syncs to/from local folder) Drive File Stream exposes your drive in a file… https://t.co/UtKZEG6mrP @EmanuelTesar Why manually? There's ton of sw that syncs folders and files across devices automatically. + you solved backups at that point. @EmanuelTesar Keepass_X_. I just sync the pwd db file across devices, it's easy to do with drive sync, Dropbox etc.… https://t.co/B8gw0i3Q2o @EmanuelTesar Nics -> bugs @EmanuelTesar I use keepassx. I like to have my password db way out of all browser processes. Pw managers that are… https://t.co/cL3udYc8A0Jeśli razem z @j_kaluzny chcesz pracować w jednej z "najfajniejszych" dzielnic Europy to koniecznie sprawdź nasze o… https://t.co/U0g7suif3V
Retweeted by koto
2/12
2020
I was dismissive of these issues until one of the post-Snowden HSMs Yahoo bought was delivered in... let’s call it… https://t.co/Yc3b9VsyfT
Retweeted by koto @liran_tal @chipironcin @VoxxedZurich @odrotbohm @dandreadis @codepo8 @mraible @jMargaritaN @FredBlaise You're comi… https://t.co/wn245iXWWhWe've crunched data and worked hard to add browser features that matter for web security in 2020. This is what we t… https://t.co/780loNmZ9D
2/11
2020
Parasite. #Oscars https://t.co/X6jkCCzWqX
Retweeted by koto
2/10
2020
Years ago I found what I still consider to be the best vuln I've ever found and exploited. It started with ERROR an… https://t.co/ZRKQp7aPTF
Retweeted by koto
2/9
2020
Interesting mistake happened to me yesterday. I was checking out of an Airbnb(like) room and was going to hang arou… https://t.co/tCtjdJUZoy
Retweeted by kotoOh no the author of this book about the semiotics of emoji doesn’t know about the fresh prince of bel air. https://t.co/roY4pgwkl3
Retweeted by koto
2/8
2020
@garethheyes Are you running the experiment now? Please stop, my phone is lagging sooooo much... @svblxyz @carste1n Yes, we should all have Chinese keyboard layout :) @garethheyes Yup. https://t.co/8cvS9BLxLi
2/6
2020
@SecurityMB Gratulacje!!!
2/2
2020
@jurajsomorovsky @ruhrunibochum @unipb Congratulations!
1/31
2020
@skeptic_fx @mikispag @randomdross @arturjanc @we1x You may be able to tighten the unsafe-eval with trusted types. @mattaustin @kravietz_ I can understand the snarkiness, but still - AMP has tons of existing customers,and those wi… https://t.co/mphQm0Nz10
1/29
2020
@kravietz_ I'm guessing AMP websites might want to have a say.In other words, some AMP pages will have to opt out of the mechanism that addresses CSRF so cleanly. Sad. https://t.co/quxinXV2eC
1/28
2020
Remember, Marcus Aurelius has already absolved you of the duty of having a take https://t.co/hLSNy7a5OB
Retweeted by koto
1/27
2020
@arkadiyt @frgx Parts of CSP we could definitely do without. Some forms of it increase deployment complexity withou… https://t.co/ZSJkyJYHkw
1/25
2020
@epereiralopez Welcome to the team!There's some nuance to this, but, without splitting hairs, the best advice for the end users in response to the pap… https://t.co/jD4W316PWW
1/24
2020
When your decision to adopt microservices is missing the big picture. https://t.co/dvRHK4MCyQ
Retweeted by koto
1/23
2020
@arturjanc @empijei @we1x In terms of technical details, https://t.co/T1Zzich2A7 has a good summary.Earlier today we published the details of a set of vulnerabilities in Safari's Intelligent Tracking Prevention priv… https://t.co/XwJw5kc6sj
Retweeted by kotoThe time has come to fix that typo in Referer ;) https://t.co/HvoyUgOOEzOur title is boring, @johnwilander's "Preventing Tracking Prevention Tracking" is way better ;) https://t.co/Hd2RXo8bvU
1/22
2020
Have an idea that would totally change the Web's security but would break today's Web? We have the right workshop f… https://t.co/PJb5Bg3CBo
Retweeted by koto
1/16
2020
@KingstonTime Oh man, that's terrible :( Hope something new, and greater will come out of this! Sending lots of <3.… https://t.co/AnZudnEKag💕❤️💕 for all who have worked for a better web and a better world at Mozilla.
Retweeted by koto @KingstonTime Wait what? Is that for real?
1/15
2020
@arkenoi @ivanristic So was XHR ;)End of an era. https://t.co/bEOhUL03Vb
1/14
2020
@BenedekGagyi @liran_tal @jeremiahg @mvsamuel https://t.co/V75jJ5OD8l https://t.co/PoFf1m9Winhttps://t.co/n20QGxHzc0 @liran_tal @BenedekGagyi @jeremiahg @mvsamuel For which audience? Developers or penetration testers?
1/13
2020
Great effort @random_walker and reading through it now. One observation I was able to get during incident response… https://t.co/ulPB9e3ONb
Retweeted by koto
1/11
2020
@skeptic_fx @mikewest @mikispag IIUC the "effect" the message mentions is blocking the behavior. SPV event is just… https://t.co/6iPraaeeD0 @freddyb PHP regexps had code execution capabilities with e flag. Maybe that's that? I don't recall anything for J… https://t.co/OPZjOGgZIt @mikewest 1. Looks pretty good! 2. Why strict-dynamic for non-parser-inserted scripts? It feels like TT for such sc… https://t.co/7lvShBDohv
1/8
2020
Project Zero Policy and Disclosure: 2020 Edition -- https://t.co/UKXputzdAu
Retweeted by kotoAs promised a few months ago, with @cryptosaurus6 we computed a chosen-prefix collision for SHA-1 for much cheaper… https://t.co/vYRcItIw2n
Retweeted by koto @tqbf @bascule @XorNinja @kkotowicz thanks a lot for the insightful discussion on JS crypto . They were really va… https://t.co/4yCjgbLSi9
Retweeted by kotoThe top 10 web hacking techniques of 2019 has some new contenders, thanks to community nominations. Keep them comin… https://t.co/V9OyQKykJy
Retweeted by koto
1/7
2019
it's out https://t.co/beafW6QPUi will present it at @RealWorldCrypto the paper I'm the proudest of thanks to… https://t.co/4BfPtRk9i1
Retweeted by koto
12/31
2019
THREAD: Exactly two years ago today, an engineer working on an embargoed bug made a tiny opsec slip-up. The bug was… https://t.co/oayrAa3nHg
Retweeted by koto
12/29
2019
Writeup on how I made $40,000 breaking the new Chromium Edge using essentially two XSS flaws. https://t.co/VZ3QGbxDF5
Retweeted by kotoI launched speak|easy 🎉 https://t.co/kqZqsqkF82 ✅Vue.js ✅Netlify ✅Weekend side project ✴️You have a public speaki… https://t.co/v2g2DzfwCk
Retweeted by koto
12/24
2019
Presentation about the @GoogleVRP team and our Bug Hunters. https://t.co/c87d65KPyP
Retweeted by koto
12/20
2019
A pretty good take: "Given the appetite for mass activism and capabilities of engineers at Google who might chafe a… https://t.co/WDHcWCjT5b
Retweeted by kotoFascinating, the #1 predictor of bugs is ... organizational complexity: https://t.co/jU3SRSzjMD
Retweeted by koto
12/19
2019
Kathryn, @eiais, did not bypass code review. She didn't disrupt anyone's work. She didn't target an individual. She… https://t.co/ksjFdsQSsZ
Retweeted by kotoKathryn was on my team. There was zero reason why she should have asked anyone else on the team for authorisation t… https://t.co/ibXwMuIjmb
Retweeted by kotoPeople are looking at this union busting stuff as an internal matter at Google. I doubt they’re right. These fired… https://t.co/ylIiUWntKb
Retweeted by koto
12/17
2019
@ericlaw @porkbellyfuture Or is it?
12/16
2019
We are looking for a web vulnerability researcher to join the PortSwigger research team. https://t.co/WtUNtHzvZM
Retweeted by kotoUpdate npm NOW, new releases of @nodejs are coming out asap: https://t.co/j9Oc44CG4c
Retweeted by koto
12/12
2019
Script gadgets <3 https://t.co/bPjHDEl9Cx#trustedtypes come to #NodeJSInteractive 2019. Excited to talk today with @mvsamuel on how we'll get rid of the mos… https://t.co/XKWiq0oPPp
12/11
2019
In today’s Chrome release, two security issues reported by our team are fixed. Good job @piochu and @SecurityMB! Wr… https://t.co/83VerMRkkW
Retweeted by koto @johnwilander aaagh, you lost the opportunity for "Tracking Prevention Tracking Prevention" as a title :) Seriously though - 👍💪👏
12/10
2019
A while back I did a quick fuzzing exercise on Google Chrome <portal> element https://t.co/60SKIwU5e0 @redteampl
Retweeted by kotoHello Twitter people. My team is organizing a great CTF in two weeks. I prepared some WEB challenges for you, so I… https://t.co/RR6pIbr2T1
Retweeted by koto
12/6
2019
Oh, my! @ChrisJohnRiley https://t.co/4oX2nOyC3c
12/4
2019
@freddyb @SecurityMB @mikewest @kinugawamasato Nope, I blindly (and incorrectly) assumed that devtools is privileged. @freddyb @SecurityMB @mikewest So, @kinugawamasato's original vector (https://t.co/4xsheYnxFG) seems to work (CSP b… https://t.co/NQtY98eiG2 @freddyb @SecurityMB @mikewest You don't have any gadgets in your ui js code? The sanitizer, being almost non-confi… https://t.co/iLuwy49gPe
12/2
2019
Haxember Experiment! I will release daily videos about topics I always wanted to cover, but never got around. To in… https://t.co/29t0TuLDfV
Retweeted by koto
12/1
2019
@joernchen @lucacarettoni Stop disrupting the thought leadership!
11/29
2019
someone swapped the batman and catwoman character models and... oh my god https://t.co/BneQFmdIzf
Retweeted by koto
11/28
2019
Hey @sundarpichai, can we do a blameless postmortem on this? https://t.co/DBDjJUF1Fg
Retweeted by koto @garethheyes @Trojantech2 Once a renderer is compromised, you don't really do JS anymore. There is no angularjs san… https://t.co/NuIMCJCmfK @SecurityMB Ouch.
11/27
2019
@empijei you know the answer :) It's JS all the way down @empijei Also, why Rust? Js please :) @empijei It's not just about memory corruption, e.g. Spectre vectors would still wprk. Though memory safety is a large part of it.
11/26
2019

0