We completed our 2nd audit of Allbrige's Estrela, a decentralized exchange built on the Soroban platform. Our audit was focused on the 3-token pool implementation and no critical vulnerabilities were found. The summary and full report can be read here blog.quarkslab.com/audit-of-allbr…

From classic HTML pages to advanced MFA bypasses, dive in with Atsika in an exploration of phishing techniques 🎣. Learn some infrastructure tricks and delivery methods to bypass common detection. 👉blog.quarkslab.com/technical-dive… (promise this one is legit 👀)

The Open Platform Communications Unified Architecture (OPC UA) is an open standard for industrial systems. In 2024 we worked with ANSSI to develop fuzzysully, an OPC UA fuzzer. Today we are glad to announce that this tool is now open source: github.com/ANSSI-FR/fuzzy…

The Fifth Element: Using Quarkslab's cryptographic test suite to find bugs in the reference implementation of HQC, the latest algorithm added to the NIST PQC standard. Here Célian Glénaz, Dahmun Goudarzi and Julio Loayza Meneses tell you how they did it: blog.quarkslab.com/finding-bugs-i…

Next week at the Hack The Box meetup in Lille, France rayanlecat will talk about PwnShop, the challenge he prepared for the PwnMe CTF 2025 and how he accidentally discovered a RCE 0day while doing so. Join him next Monday at Campus Cyber Hauts-the-France: meetup.com/hack-the-box-m…

New GUI or root access? Choose wisely! Exploiting a Local Privilege Escalation vulnerability in CCleaner version 1 for MacOS, by Coiffeur blog.quarkslab.com/ccleaner_lpe_m…

There is a small bug in the signature verification of OTA packages in the Android Open Source Framework. Official builds doing normal double verification of packages are not vulnerable but OEMs and third party apps may be. Jérémy Jourdois explains it here: blog.quarkslab.com/aosp_ota_signa…

We are pleased to announce the completion of security audit of PHP core! Executed by quarkslab in partnership with OSTIF Official and commissioned by the Sovereign Tech Agency. Learn more: thephp.foundation/blog/2025/04/1…

Quarkslab audited PHP-SRC, the open source interpreter of PHP. The security audit, sponsored by OSTIF Official with funding from Sovereign Tech Agency, aimed at strengthening the project's security ahead of the upcoming PHP 8.4 release. Here is what we found: blog.quarkslab.com/security-audit…

We are so excited to announce the publication of our audit of PHP core! This work was a collaboration between our organization, The PHP Foundation, and quarkslab, with funding provided by the Sovereign Tech Agency. For the report, high points, and further links ostif.org/php-audit-comp…

While casually reading Moodle's code @coiffeur0x90 found a SSRF bug exploitable by any authenticated user. Fun twist? This vuln matches exactly the example Orange Tsai 🍊 presented at Black Hat 2017. Real life imitates conference slides 😅 Details here: blog.quarkslab.com/auditing-moodl…

Look at those cute little blobs in your internal network. They look harmless, but how about the one carrying SOCKS? It's ProxyBlob, a reverse proxy over Azure. Check out Atsika's article on how it came to exist after an assumed breach mission ⤵️ 👉 blog.quarkslab.com/proxyblobing-i…

Tom Mansion (Tom Mansion) is a junior security researcher from quarkslab. He is zealous over CTFs, and enjoys heap exploitation. Tom discusses Scudo's mechanisms, its security principles, exploitation techniques... and what's next! More info: linkedin.com/posts/off-by-o…

Quarkslab was glad to sponsor the Real World Cryptography Paris Meetup 4 hosted by Ledger last night. Julio Loayza Meneses talked about crypto-condor, our open source tool to test cryptography implementations. You can learn more about it here: quarkslab.github.io/crypto-condor/…

Good morning Singapore! The amazing Off by One conference (Off-By-One Conference) starts today. If you are attending don't miss pappy's (our fearless CEO) keynote at 9:35am: "Spyware for rent & the world of offensive cyber" The full agenda is available here: offbyone.sg/agenda

pappy from quarkslab, our keynote speaker marks the start of 2nd edition of Off-By-One Conference with his highly anticipated presentation 𝐒𝐩𝐲𝐰𝐚𝐫𝐞 𝐟𝐨𝐫 𝐫𝐞𝐧𝐭 & 𝐭𝐡𝐞 𝐰𝐨𝐫𝐥𝐝 𝐨𝐟 𝐨𝐟𝐟𝐞𝐧𝐬𝐢𝐯𝐞 𝐜𝐲𝐛𝐞𝐫! Off-By-One Conference go! 🚀

Tom Mansion from quarkslab in action! After a game of hide and seek, we now 𝐒.𝐇.𝐈.𝐄.𝐋.𝐃: 𝐒𝐜𝐮𝐝𝐨 𝐇𝐞𝐚𝐩 𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐚𝐭𝐢𝐨𝐧 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐬, 𝐋𝐞𝐚𝐤𝐬, 𝐚𝐧𝐝 𝐃𝐞𝐟𝐞𝐧𝐬𝐞𝐬 at Off-By-One Conference 2025!

Are you a cyber professional, or a future one, coming to #sstic2025 next week? Come to ✨WomenATsstic✨, an informal and unofficial friendly meetup on Wednesday, June 4th at 6 pm. We will reserve a bar/café near the Halle Martenot. Register here: framadate.org/hH2t9FcRtgEGmT…

Attention ✨WomenAtSSTIC✨ We meet at 18:00 today at L'Equinoxe: 3 Place des Lices, 35000 Rennes See you there! #sstic2025

🇬🇧 Proud to welcome Platinium Sponsor ⚪ @Quarkslab! Cyber R&D experts turning advanced security research into real-world solutions for critical industries. Meet their team at #lehACK! 🔗 quarkslab.com #Sponsors