๐Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server.
https://blog.orange.tw/posts/2024-08-confusion-attacks-en/
https://blog.orange.tw/posts/2024-08-confusion-attacks-en/
Orange Tsai
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
๐ [ ็น้ซไธญๆ | English ] Hey there! This is my research on Apache HTTP Server presented at Black Hat USA 2024. Additionally, this research will also be presented at HITCON and OrangeCon. If youโre int
2024-1275_240823_230000.pdf
777.4 KB
https://www.securityweek.com/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning/
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
Phrack
Stealth Shell
Click to read the article on phrack
โค1
https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html
Please open Telegram to view this post
VIEW IN TELEGRAM
hyprblog
4 exploits, 1 bug: exploiting CVE-2024-20017 4 different ways
a post going over 4 exploits for CVE-2024-20017, a remotely exploitable buffer overflow in a component of the MediaTek MT7622 SDK.
https://github.com/lvkv/whenfs
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - lvkv/whenfs: A FUSE filesystem for your Google calendar
A FUSE filesystem for your Google calendar. Contribute to lvkv/whenfs development by creating an account on GitHub.
https://labs.taszk.io/articles/post/there_will_be_bugs/
Please open Telegram to view this post
VIEW IN TELEGRAM
labs.taszk.io
Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos
Samsung Baseband RCE with Layer 2 Vulnerabilities
https://sites.google.com/view/Gazeploit/
PDF: https://arxiv.org/pdf/2409.08122
Please open Telegram to view this post
VIEW IN TELEGRAM
Google
GAZEploit
GAZEploit:
The attack was executed in civilian areas of a sovereign nation.
Around 1K cases have been reported.
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-files/
Please open Telegram to view this post
VIEW IN TELEGRAM
lyra's epic blog
Using YouTube to steal your files
A writeup of my $4133.70 Google Drive vulnerability chain.
ยน Unlike cold state where the phone is unlocked or recently locked where keys ๐ are in memory.
Characteristics:Please open Telegram to view this post
VIEW IN TELEGRAM
๐1
https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-26808_cos/docs/exploit.md
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
security-research/pocs/linux/kernelctf/CVE-2024-26808_cos/docs/exploit.md at master ยท google/security-research
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code. - google/security-research
https://www.404media.co/someone-put-facial-recognition-tech-onto-metas-smart-glasses-to-instantly-dox-strangers/
Please open Telegram to view this post
VIEW IN TELEGRAM
404 Media
Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers
The technology, which marries Metaโs smart Ray Ban glasses with the facial recognition service Pimeyes and some other tools, lets someone automatically go from face, to name, to phone number, and home address.
๐งต
https://x.com/J0R1AN/status/1842139861295169836
https://gist.github.com/JorianWoltjer/b9163fe616319db8fe570b4ef9c02291
Please open Telegram to view this post
VIEW IN TELEGRAM
X (formerly Twitter)
Jorian (@J0R1AN) on X
During a recent CTF, one participant found a particularly interesting solution to my challenge. The goal was to send multiple CSRF requests with SameSite=Lax from 1 visit.
Normally, a form sends you to the page you are posting to and you cannot send anyโฆ
Normally, a form sends you to the page you are posting to and you cannot send anyโฆ
https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-same-group-infect-air-gapped-devices/
https://securelist.com/goldenjackal-apt-group/109677/
https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/
Please open Telegram to view this post
VIEW IN TELEGRAM
Ars Technica
Two never-before-seen tools, from same group, infect air-gapped devices
It's hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years.
๐ง ByteDance recently terminated an intern for sabotaging an AI model training project within its commercial technology team. The intern was accused of malicious interference, leading to their dismissal in August 2024. Despite reports suggesting significant financial damage, ByteDance clarified that the sabotage did not impact formal commercial projects or their broader AI operations. The company has informed the intern's university and relevant industry bodies. This incident highlights growing concerns around AI security and insider threats in the tech industry.
Please open Telegram to view this post
VIEW IN TELEGRAM
https://ading.dev/blog/posts/chrome_sandbox_escape.html
https://github.com/ading2210/CVE-2024-6778-POC
Please open Telegram to view this post
VIEW IN TELEGRAM
ading.dev
Escaping the Chrome Sandbox Through DevTools
This blog post details how I found CVE-2024-6778 and CVE-2024-5836, which are vulnerabilities within the Chromium web browser which allowed for a sandbox escape from a browser extension.