🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Manfred Paul’s Firefox renderer bug is a beauty that takes advantage of an optimisation implemented just 3 months ago. Let’s break it down!

Go get yourself some nice prototype pollution bugs to submit to the Google VRP and tag me when you publish your 'thank you javascript' post :)

Check out the most thorough end to end explanation of Google's recipe to eradicate entire classes of web bugs at scale

there is a challenge in idekCTF 2024 called srcdoc-memos made by icesfont, it's about iframe, sandbox, CSP, navigation, session history and policy container. I spent like a week to understand how it works lol, really complex but also interesting. blog.huli.tw/2024/09/07/en/…

The exploding Hezbollah pagers situation is an incredibly impressive supply chain attack by Israel (most likely). I am sure more details will come, but there are already some educated guesses to be made that narrow it down. 🧵1/n

A new era for security in #MicrosoftEdge and it's web integrations as #MicrosoftBing now supports nonce-based CSP on Edge Desktop (other browsers to follow shortly). Attacks on Edge via XSS just got a whole lot harder!

A different kind of programming competition in 1983

Love to see the constant stream of posts over the past couple months where malware developers are struggling to 1/ lift cookies and 2/ use them effectively thanks to security.googleblog.com/2024/07/improv… and other changes from our Chrome/Identity colleagues 👏

Check out the video in which I’m talking with koto about Google VRPs. Learn how you can start hacking Google! Let me know if there’s something you’d like us to cover in future videos 😀 youtu.be/R2qMd4PZbko?si…

8 Bytes, many meanings

if() I get a CSS injection...

Here are the details about the AMD Signature verification vulnerability we worked on, Enjoy! bughunters.google.com/blog/542484235…

We're working on several types of AI agents at scale and looking for talented folks in both security research and mitigation engineering. Take a look at these job postings for the Agent Security team at Google and consider applying!

this was the worst news of the week

We just published a whitepaper describing Google's 3 principles for building secure agents, rogue actions and data exfiltration issues and our hybrid strategy: combining model-based defenses with high-assurance guardrails. Read our paper at research.google/pubs/an-introd…

Here's my blog post about escaping `<>` in attributes and why it makes mXSS harder to exploit!

Simon wrote an interesting review of the paper our team published on Agent Security - we're making solid progress towards making the hybrid architecture described in Simon's review the default for Google agents and finding new ways at constraining agentic workflows dynamically

One of the many cool pieces of research coming from Jun's work in Google's Agent Security team! Also see the next tweet in his thread :)