Had a great time presenting at @reconmtl this weekend - always amazing meeting everyone and sharing research 🙌. For those that missed the conference, or just want to review my WhatsApp work, feel free to read the slides here & hmu if you have questions!.

Fired up to see everyone in beautiful Montreal for @reconmtl 2025 - attend my talk to hear about my research on WhatsApp. Might have a surprise 4th bug make an appearance 👀

RT @thatjiaozi: Oh hey! That’s my bug 👀 .

RT @phwd_: Respect and blessings 🙇.And big ❤️ to my good friend, a true homie Luke (@datalocaltmp) he is a real OG for the amount of conten….

Thrilled to be speaking at @reconmtl 2025 for the 20th anniversary!. My talk is "Call, Crash, Repeat: Hacking WhatsApp" and covers my reverse engineering efforts and the bugs I've found in deeplink handling, PJSIP usage, and XMPP signalling. Hope you find it interesting 🥳

Enjoying the Tokyo skyline with my mate courtesy of my friends at @BugBountyArg and @ekoparty - beautiful day to be a hacker!

On vacay in Taipei and I heard TSMC engineers place these chips (乖乖) next to their computers for good luck. Hoping they boost my odds of getting this talk on WhatsApp bugs past the CFP stage!

Focused on iOS research rn - pleasently surprised to see that user data persists when downgrading apps with TrollStore. i.e. Find bug in v7 - app auto updates to v8 - force downgrade to v7.0 with TrollStore - user data persists. For when you forget to turn off updates . 🤦‍♂️.

Since AFL++ is making random permutations, can I claim these bug bounties as tax free lottery winnings?.

Tested GhidraMCP for RE on stripped binaries - specifically the URL validation functions in Messenger (see my EkoParty talk). It reached the same conclusions in under a minute - may have took me a moment longer 👀. S/O @lauriewired for the awesome tool -

RT @lauriewired: Just built an MCP for Ghidra. Now basically any LLM (Claude, Gemini, local. ) can Reverse Engineer malware for you. Wit….

RT @clearbluejar: Wrapped up an incredible time teaching #PatchDiffingInTheDark in Austin, TX with @_ringzer0 ! The city didn’t disappoint—….

RT @signalapp: Right now there are a lot of new eyes on Signal, and not all of them are familiar with secure messaging and its nuances. Whi….

RT @0xcc: 0xCC 2025 tickets are now available! 🎉✨. We're a free technical training conference by women, for women in or interested in cyber….

RT @vxunderground: Yesterday I became acquainted with a young and passionate person who, for the past 2 years, has been documenting RATs (i….

RT @0xcc: Have you heard about our travel grant program? . It aims to support students, those starting out, returning to work and other int….

RT @patrickwardle: Happy 10th Birthday to @objective_see! 😍

Shoutout to @internetarchive for saving these NSO Group technical write-ups on Android libc allocator internals (dlmalloc and jemalloc) - they're out dated now with Scudo as the default Android libc allocator but still useful references!.

I really love coverage guided RE for fuzzing. Using Cartographer in Ghidra I can instantly figure out that my test cases aren't hitting the core parsing logic - find a conditional statement to patch with a branch - and start finding bugs. All without ever attaching a debugger.

Currently fuzzing a native JSON parser - GPT did a decent job generating unique edge cases. If you’re fuzzing text-based formats, asking an LLM for unique inputs might be worth a shot 🤷 Now onto asking for binary formats!. (I should look into as well)