Securing Bits

In February, I discovered a critical authentication bypass in the Google Cloud API Gateway and reported it to @GoogleVRP. 🧵[1/10] References: Write-Up: securingbits.com/bypassing-goog… CVE: nvd.nist.gov/vuln/detail/CV… GitHub Advisory: github.com/GoogleCloudPla… #bugbounty #googlecloud

@ctbbpodcast Love you guys ! 🙏

We did a 10h long live Hackalong session on Discord and found a few bugs! Here are some of the cool stuff we learned from it

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

Learn more about indirect prompt injections from the paper 'Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection' Link: arxiv.org/pdf/2302.12173

Building your next LLM integration? Beware of Indirect Prompt Injection vulnerability. Previous models like GPT4 and Bing have been affected. #llm #applicationsecurity #chatgpt

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

HTTP Response Headers: Usage 🛠 and Security Abuse ☠. Those complement the HTTP Request Headers we saw last week :) #websecurity #bugbounty #bugbountytips

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

HTTP Request Headers: Usage🛠️ and Security Abuse💀 #websecurity #bugbounty #bugbountytips

@sephr @ABouhoula @AmitZac1 I haven’t checked their methodology either, just trusting the reputation of the conference which involves peer review already .

@securing_bits @ABouhoula @AmitZac1 I'm unsure about the reliability of their methodology. I can't determine if the crawler was also in the EU and set up to accurately represent an EU citizen. I requested the code on April 17, 2024, to peer review this study. I never received a response. @ABouhoula @AmitZac1

Recent research conducted by ETH reveals that 65.4% of the most visited websites in the EU offer a cookie rejection option, yet they could still potentially gather user data even after users explicitly reject their cookies. 🕵️‍♂️ Is privacy compliance so difficult? #privacy #gdpr

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

Guard your LLM against prompt injection with these powerful tools: - github.com/protectai/llm-… - github.com/protectai/rebu… - github.com/NVIDIA/NeMo-Gu… - github.com/amoffat/Heimda… - github.com/guardrails-ai/… - github.com/whylabs/langkit #AI #MachineLearning #LLM #Security 🛡️🔒

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

If you missed Part 1 👇 twitter.com/securing_bits/…

What could go wrong during the ML model development lifecycle (Part 2) ? Example threat model based on the talk "Kubernetes MLSec: Securing AI in Space" by @d1gital_f and James Callaghan of @controlplaneio at @CloudNativeFdn. #ai #machinelearning #security

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

Authentication (AuthN) architecture patterns for microservices👇 #microservices #applicationsecurity #systemdesign

@expankita I was a mathematician teaching math to students 😎 Worked myself to a masters in cybersecurity, CTFs and finally my first role.

Who else is rocking a career in #cybersecurity without the traditional tech background? I started without any formal certs—just a lot of creativity! How did YOU break into the field? I'd love to know your story 🙂 #hacker

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

What could go wrong during the ML model development lifecycle? Example threat model based on the talk "Kubernetes MLSec: Securing AI in Space" by @d1gital_f and James Callaghan of @controlplaneio at @CloudNativeFdn. Talk: youtube.com/watch?v=gjl-lT… #ai #machinelearning #security

I hope you've found this thread helpful. Follow me here @securing_bits or on Linkedin linkedin.com/in/vasilikos-p… for more, and if you enjoy my content make sure to subscribe to my weekly free newsletter at securingbits.com/newsletter. Like/Repost the quote below if you can:

Take a look at these Google Cloud Threat Detection Queries👇 They are inspired by a talk given by @daycyberwox during a past @fwdcloudsec event. Link: [youtube.com/watch?v=orNBBH…]