@SecurityMB
Followers
11K
Following
921
Media
85
Statuses
1K
Improving the world’s security at Google. Opinions are mine.
Zurich, Switzerland
Joined September 2014
Finally, my research is published. It has everything you might wish for in browser security: universal XSS, mutation XSS, CSS data exfiltration, and others. Check this out! In a few days, we'll also release a 30-minute presentation about this topic.
We are publishing the research of Copy&Paste issues in browsers by @SecurityMB. Over $30k in bounties for bugs in Chromium, Firefox, Safari, Google Docs, Gmail, TinyMCE, CKEditor, and others. Includes also 0-day in Froala.
8
113
412
RT @kevin_mizu: I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Ha….
0
167
0
Google CTF is on! Here's a challenge that I created: . Good luck 😀.
0
27
150
Here's my blog post about escaping `<>` in attributes and why it makes mXSS harder to exploit!.
🚨 Heads up for web devs! 🚨 . The HTML spec just got an important update to protect against mutation XSS (mXSS). Find out how escaping < and > in attributes is making the web a safer place.
1
19
90
🔥 A new (more difficult) era for mXSS will come soon! If nothing breaks, Chromium will start escaping "<" and ">" in attributes starting with M138. See for details.
2
17
88
RT @GoogleVRP: Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 . Disco….
bughunters.google.com
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog...
0
31
0
RT @OMHconf: Pewien inżynier bezpieczeństwa musi zadbać o bezpieczeństwo dosłownie tysięcy aplikacji. 💥 Jak to osiągnąć? . Michał Bentkowsk….
0
2
0
Reading about new mXSS techniques always warms my heart. Amazing writeup @kevin_mizu and great bugs!.
I'm thrilled to finally share my research on HTML parsing and DOMPurify at @GreHack 2024 📜. The research article is available here: The slides are available here: 1/3
1
1
34
RT @GoogleVRP: Do you want to learn more about the various Vulnerability Reward Programs offered by Google? Or you're looking for inspirati….
0
11
0
Check out the video in which I’m talking with @kkotowicz about Google VRPs. Learn how you can start hacking Google!. Let me know if there’s something you’d like us to cover in future videos 😀.
3
8
44
RT @lukOlejnik: Very nice presentation about web security at a scale by @SecurityMB. Finally, web security is solved for good. https://t.co….
0
1
0
[PL] Zapraszam na MSHP do Krakowa! Sam też będę miał tam prezentację 😀.
Dołączysz do konferencji Mega Sekurak Hacking Party?. ✅ Trzy ścieżki prezentacji: Główna (topowe / świeże tematy związane z ITsec), Hacking Depot (hackowanie na żywo), Intro (dla początkujących). ✅ Same premierowe prezentacje! . ✅ Topowi prowadzący-praktycy, znani ze sceny
1
0
5
Google VRP significantly increases reward amounts! Just go and hack 😀.
🚨💰 Google VRP Reward Update 💰🚨 Good news, we are significantly increasing the reward amounts offered by the Google VRP! Look out for up to 5x higher payouts and a maximum reward of $151,515! Details here:.
1
0
14
RT @GoogleVRP: 🚫 DOM XSS, begone! 👋 Discover how we used Trusted Types to protect AppSheet, and how that can inform your own web applicatio….
bughunters.google.com
Want to know more about adopting Trusted Types to improve the security posture of an application? Take a look at our case study describing how we rolled out Trusted Types in AppSheet, a Google...
0
37
0
RT @aszx87410: I didn't manage to solve postviewer v1 in 2022, really close to solve v2 in 2023, but this year finally solve v3 💯. It's my….
blog.huli.tw
For the past half year, I have been busy with other things and haven’t had a chance to participate in a CTF. This time, I made time for GoogleCTF 2024 and solved all the web challenges with my teammat
0
22
0
Congratulations for the five teams that solved in-the-shadows!. The challenge is open-sourced now including a short writeup and a solver:
Google CTF is on! . I'm especially curious how many teams will be able to solve the challenge "in the shadows" 😉.
0
11
58
Google CTF is on! . I'm especially curious how many teams will be able to solve the challenge "in the shadows" 😉.
Google CTF is just around the corner, starting June 21 at 6:00 PM UTC! Give your best and earn all the flags to qualify for Hackceler8 2024 in Málaga. Register at ¡Vamos! . For details, see our blog post:
3
2
36
Czy można zgłaszać propozycje odcinków @RadioNaukowe? Jeśli tak, to świetnie byłoby posłuchać o ostatnich zmianach w języku polskim, 😀.
2
0
4
RT @realhashbreaker: Here is a 72-byte alphanum MD5 collision with 1-byte difference for fun:. md5("TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDh….
0
2K
0