koto
@kkotowicz
Followers
9K
Following
4K
Media
81
Statuses
6K
security ninja wannabe Mastodon: @[email protected]
Joined August 2007
RT @GoogleVRP: We're sending a HUGE thank you to our incredible community of bughunters ! 🙏 Your passion for finding vulnerabilities keeps….
0
38
0
RT @GoogleVRP: Do you want to learn more about the various Vulnerability Reward Programs offered by Google? Or you're looking for inspirati….
0
10
0
Pretty cool exploit chain with the redirects. The writeup is also excellent, and the "screenshots" being actually interactive? 🤯. Thanks a lot for the research, @rebane2001!.
Love a good client-side exploit chain! This crazy cross-product chain targeting Google by @rebane2001 is a great example of the type of exploit that gets easier the longer you spend targeting a single company .
0
4
11
RT @gynvael: If anyone is following the NEWAG vs Dragon Sector case, this article (in PL, but, well, 2024, google translate) is a really go….
0
16
0
XSS in Gmail is now $20k (or 50% more for exceptional quality report). Good thing we don't have XSSes anymore. Or do we? :).
🚨💰 Google VRP Reward Update 💰🚨 Good news, we are significantly increasing the reward amounts offered by the Google VRP! Look out for up to 5x higher payouts and a maximum reward of $151,515! Details here:.
1
6
58
RT @dsredford: It's finally happened! NEWAG IP Management just sued us for copyright infringement and unfair competition. Here's a symboli….
0
78
0
RT @gynvael: So NEWAG (context: finally filed a lawsuit against members of @DragonSectorCTF / SPS. It took them a….
0
20
0
RT @we1x: @LinkedIn says no to DOM XSS by enforcing Trusted Types! Congratulations to @shafigullin for this achievement 🎉.
0
4
0
RT @GoogleVRP: Ever wondered how to increase your bug bounties 💸 ? Our latest blog post introduces our domain tiers security concept and ho….
bughunters.google.com
Do you want to know more about the concept of domain tiers, understand how they are applied at Google, and view a list of Google's highest sensitivity domains? Take a look at this blog post to find...
0
29
0
See how Google's security engineering team handles rollouts at scale, so we can safely enforce Strict CSP, Trusted Types and other security features on 100s new services yearly.
bughunters.google.com
There are vastly more engineers at Google dedicated to creating and maintaining new products than there are security engineers working to secure products. For this reason, Google security has to...
1
38
74
RT @TheRegister: Mozilla decides Trusted Types is a worthy security feature
theregister.com
DOM-XSS attacks have become scarce on Google websites since TT debuted
0
11
0
RT @we1x: Mozilla has changed their standards position on Trusted Types to positive 🎉.2024 will be a bad year for DOM-based XSS. https://t….
github.com
Specification Title: Trusted Types for DOM Manipulation Specification or proposal URL: https://github.com/WICG/trusted-types/blob/master/README.md It seems useful to figure out something here early...
0
34
0
RT @shhnjk: A few deprecations shipped in Chrome 120. Data URLs in SVG <use> is now blocked. CSP Embedded Enforce….
0
7
0
RT @SecurityMB: So I'm starting a Youtube Channel 😄 Join me today at 19:00 CEST (in other words: in three hours) when I'll talk about 10 hi….
0
23
0
RT @kinugawamasato: Mastodon、RCEとXSSのセキュリティ修正があります。.それに関連してRubyの「sanitize」というgemのHTMLサニタイザーのバイパスも修正されています。.
github.com
### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize `>= 3.0.0, < 6.0.2` when Sanitize is configured to use the built-in "...
0
14
0
RT @we1x: 🥳 This will make using side-channel techniques such as Timing Attacks, XS-Leaks, and COSI harder!.
0
3
0