Almost 8 years since #PokémonGo launched and took the world by storm, it's time to tell the story of how I broke its anti-cheating mechanism together with a group of fellow hackers, all just to catch some new Pokémon Part 1 is live on #TalTechTreks:.

The DEFCON 33 schedule is live and I'm excited to announce I'll be giving a talk this year on unique research I was a part of a few years back!. "Breakin 'Em All – Overcoming Pokemon Go's Anti-Cheat Mechanism". Join me on stage - Sat, 11:30 AM, Track 3.

Looks like I'll be at Hacker Summer Camp this year!. Exciting #DEFCON33 ☺

I'm proud to announce the release of the OWASP top 10 Non-Human Identity project!. Been working tirelessly with other experts on this important topic for the past couple of months, and I can't be prouder of the result. Check it out below!.

#Hacking #Google episode 5 challenge 2 threw a curve-ball at me - crypto challenge!. I avoided these in the past, assuming it's unlikely I'll be able to break them. But since this #CTF was friendly thus far, I gave it a go, and managed to solve it!.

After a short hiatus, #HackingGoogle #CTF posts are back with the 1st challenge of the last episode!. In this one - did you forget to feed your Tamagotchi? Because it came back for revenge, on this image manipulation challenge. Full write-up on the blog:

Thanks go yet again to the amazing presenters and to everyone who has been diligently reading these posts and approaching to me about them :). All the posts can be found, in order, on my blog: (6/6).

So all in all, I think I can crown this experiment a success. I’m happy I did it and can’t wait for next year’s talks, because even if I don’t attend, I’ll have my summaries to look forward to!.(5/6).

At the end, almost all posts are basically the first iteration with a simple grammar and spell-checker applied. At some point, I even built up enough courage to tag the amazing researchers!.(4/6).

So, I decided this time I’ll tackle this by posting the summaries over LinkedIn and other networks. Easier said than done. Limiting the amount of time between posts was the key here — the pressure made it so I wasn’t able to endlessly pass my text through various LLM models.(3/6).

I believed (and still strongly do) that it’s a sure way to embed the unique ideas and techniques presented into my head. Well, writing things is something I’ve always done—the hard part for me is posting them online. (2/6).

In the past two weeks, right after #DEFCON uploaded the videos for this year’s talks, I decided to not procrastinate as I usually do. Instead, I sat down, watched the talks, and made a short summary of each. (1/6).

The methodology is great in general for all research; I recommend watching the talk and taking away from it. (13/13) .#DEFCON #vulnerability #email.

To tie it up, Gareth focuses on methodology. It's not simple bypassing parsers you can't see, using so many different combinations of potentially vulnerable features. (12/13).

Using these techniques with some other niche features, Gareth accessed GitLab Enterprise servers, Zendesk organizations, bypassed GitHub email verification, protected Cloudflare instances, and steal CSRF tokens from Joomla by using an XSS in registered users' addresses! (11/13).

3️⃣Punycode: An algorithm for DNS to support domain names with special characters (even emojis). It switches and inserts characters at specific positions — a sure way to confuse parsers. (10/13).

2️⃣Encoded-word: An interesting feature of email addresses, allowing inclusion of parts that are encoded with some charset. This feature even allows Base64 and UTF-7! (9/13).

1️⃣Unicode overflows: Adding a Unicode character to the email address whose least significant byte is a valid ASCII character you'd like to smuggle. Some implementations truncate the original Unicode byte, leading to validation bypasses. (8/13).

Discrepancies between the two could easily lead to cases where a new email address is associated with a victim organization while being routed to an attacker-controlled domain — and this is what Gareth exploited. In the talk, he covered three discrepancies: (7/13).

However, now we might have a problem: there are two separate systems parsing the email address — the SMTP protocol (routing the address according to specifications), and a developer parsing the domain out of the email (probably with a copy-pasted regex and code). (6/13).

The solution to this? Extract the domain part of the email address! This makes sense as it's a strong indicator for the user's organization. (5/13).