CVE-2025-4941 - Trend ZDI analyst @hosselot details the Firefox bug used at #Pwn2Own Berlin by Manfred Paul. Includes root cause analysis and video demo.

If you're a security researcher and in Germany, consider signing https://t.co/6x5ajjZSxq . Decriminalizing research might not be the top political priority right now, but it's still important!

More important than ever!!

@ecsc2024 @MITAmalta @MITAmalta, this is not how you build up a cybersecurity community in your country. It was great to see a lot of ECSC players show their support people like @_mixy1 who faced both disqualification and legal action. As the vulnerability research community, we should do the same.

@ecsc2024 @MITAmalta @MITAmalta, this is not how you build up a cybersecurity community in your country. It was great to see a lot of ECSC players show their support people like @_mixy1 who faced both disqualification and legal action. As the vulnerability research community, we should do the same.

@ecsc2024 Only low point though was the lack of a Maltese team, apparently due to @MITAmalta blocking some of the (already qualified) team from coming after they were arrested for responsibly disclosing(!) a vulnerability in a student app in 2022.

Had a great time playing for the German team at @ecsc2024, shout out to the organizers for putting on a really great competition!

This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n

Exploit for Pwn2Own CVE-2024-29943, an Integer Range Inconsistency caused OOB access! Analysis will be updated later. Shoutout to @_manfp for finding this bug. And shoutout to @maxpl0it for his integer range inconsistent PoC. https://t.co/6r3JNXMvAP

think i found a bug. which means it’s time to take a break and enjoy the possibility before looking more closely and finding out there’s a check in an upstream code path I missed

@chrisrohlf @mncoppola Keeping open a bug to support a government operation is isomorphic to opening a backdoor to support a government. I'm pretty sure you wouldn't want Google to keep a bug open for the benefit of China, Chris. https://t.co/XY8o10Fdmc

https://t.co/cBUM1AoYuB Is this the "counterterrorism operation" by a U.S.-allied Western government that's being referenced? If saying the country and "terrorist" group involved paints a flattering picture of these exploit tools, why aren't they saying which ones are involved?

If you feel fine with selling vulns to states with vague hopes that they'll be used "for good", and can sleep soundly knowing your friends and loved ones are using preventably vulnerable products, that’s your choice. But that's not a fair demand to make of others.

This really just feels like the discourse of backdooring encryption all over again. There is no "secure but with exceptions for when the good guys need access". That's called being insecure.

(Of course, how would you even judge morality when all the information comes from people who pretty much have "lying" in their job description? Also, even they won't necessarily know about other actors exploiting the same vuln...)

Their job is making software more secure, not being geopolitical judges of which exploit campaign is moral and good. If you're concerned with tech companies inserting themselves into such things, then wouldn't the latter actually give them much *more* power?

This argument feels deeply unsettling to me. No matter your stance on states exploiting vulnerabilities, shifting the moral obligation to vendors and researchers and demanding they be complicit in it is a dangerous precedent and short-sighted.

This years Google CTF Qualification is over. Congratulations to @kalmarunionenDM, kijitora and Zer0RocketWrecks! The top 8 teams qualified for Hackceler8 2024 in Málaga. More details at https://t.co/9xUqG1nVDM. ¡Vamos!

Good news: vote on chatcontrol postponed. But this monster keeps raising its head: efforts to stop it need to be continued.

Happy to have my write-up on @thezdi's blog again - after so many fights with some kind of range analysis, a bug that just directly gives every type confusion you want felt quite fun