Will Harris

With Chrome 127 on Windows, we're introducing enhanced encryption to protect sensitive data, starting with your cookies🍪! This helps protect your personal information and keeps your online accounts secure from hackers. Read more about this protection: security.googleblog.com/2024/07/improv…

@WindowsCentral Make it so right clicking on a file in explorer on a modern 64-core theadripper 3995WX doesn't take 3 seconds to open the context menu.

🔎Preview: 9 new features coming to Windows 11 (March 2026) Windows 11’s March 2026 update is expected to ship with nine new features and changes, and it’s shaping up to be one of the more meaningful updates in a while. Microsoft is rolling out a mix of UI polish, smarter system behavior, and quality‑of‑life improvements that should make day‑to‑day use feel smoother. It’s not a full redesign, but it’s enough to make Windows 11 feel refreshed heading into spring. Curious which of the nine upgrades people think will actually matter once they land? (1/2)

The window between vulnerability disclosure and real-world exploitation keeps shrinking. The Zero Day Clock visualizes how fast attackers are operationalizing new CVEs. What used to take months now often happens in days, or hours. The future needs to be Secure by Design. zerodayclock.com #AppSec #CyberSecurity

Someone finally made a proper video on the xz backdoor. It’s missing a lot of the story, that I hope gets told someday, but still worth a watch.

@afneil On international flights with no first class cabin they sometimes don't even bother calling group 1 (BA Gold) and go straight to 2 (business class).

Not huge. Guest list gets you access to Concorde Lounge in T5 Heathrow and Chelsea Lounge T8 JFK. But Group O status is meant to give you priority boarding ahead even of Group 1. But at least 50% of the time they don’t bother to call Group 0. Boarding BA is usually shambles despite all the emphasis on groups. You’d think a British airline, of all airlines, would know how organise an orderly queue! @British_Airways

@xaitax I find it amusing that Copilot is using App-Bound Encryption - how about adding this support directly into the OS instead? Does this mean I work in AI Security now? :)

Remember my post about Edge's Copilot interfaces (IElevatorCopilot etc)? Dug deeper. Edge's Local State has TWO ABE keys: • app_bound_encrypted_key (cookies/passwords) • aster_app_bound_encrypted_key (???) Both decrypt via same IElevatorEdge IID. Different 32-byte master keys. "Aster" = Microsoft's Copilot codename. What does Aster encrypt? 🤔

Interesting. Microsoft Edge now finally switched on App-bound encryption for their passwords. At least for me now on Version 144.0.3719.35. Last test on Version 142.0.3595.53 this wasn't the case.

@jrozner @dinodaizovi yes, DBSC means the attacker must maintain persistence on the device so increases the cost/risk of any attacks.

@parityzero @dinodaizovi My understanding is the cookie can still be used off device, you need to refresh it on device and be constantly pulling it. How frequently depends on the cookie lifetime. Is that incorrect? This breaks the infostealer selling creds. Like you said, it doesn’t solve persistance

Nearly every modern device has a TPM2, Secure Enclave, or hardware-backed keystore. Sites could be issuing device-bound, long-term keys that are used to issue short-term session tokens instead of requiring a new login. We just need the web standards to drive this.

@jrozner @dinodaizovi ... you need something like application isolation or strong application secret binding (macOS has keychain, Windows has app-bound encryption). 2/2

@jrozner @dinodaizovi yes, exactly - so the cookie can be stolen but it can't be used off the device because of the need to present the short lived bearer token which is hardware bound. I don't think the goal of DBSC is to block an attacker with a persistent presence on the device. for that ... 1/2

We launched a redesigned Project Zero website today at projectzero.google ! To mark the occasion, we released some older posts that never quite made it out of drafts. Enjoy!

[POC2025] SPEAKER UPDATE 👤 Samuel Groß(@5aelo) - "JavaScript Engine Security in 2025: New Bugs, New Defenses" #POC2025

Can't believe Celebrity Traitors missed the golden chance to have a good game of Carrot in a Box there.

@darinwf @emollick 👀

@emollick Windows when? Working on it…

I don't use a Mac, so have no thoughts on the new browser.🤷‍♂️

@taviso “As Tavis disappears, Travis Normandy straightens his limp and walks slowly away.”

A personal update... after nearly 20 years at Google, today is my last day! I'm going to be working on independent research for the foreseeable future, then who knows! I've worked with so many talented people, made so many friends and seen incredible research over the years 🫡

@HaifeiLi In Chrome, we do take the bare bugs that demonstrate a memory corruption but also give a bonus for full exploit. Because learning how folks turn a bug into a full exploit is useful for improving our mitigations. I'd like to think we get best of both worlds.

It's interesting, for me, to see vendors, let's see, Microsoft vs. Apple, going two different bug bounty approaches. Bug-focused vs. Exploit-focused For Microsoft, it's bug-focused. You don't have to submit a working exploit to win the bounty. So the single bounty will not be big, but the number of submissions can be high. (The irony is that (I also personally tried to ask MSRC to change their approach), if you submit a working exploit, your bug will be rewarded the same as a non-exploit bug. There's a HUGE difference as we researchers know it. This discourages working exploit submission, in my opinion.) For Apple, it seems to me it's exploit-focused, just like Pwn2Own. They reward exploits with huge bounties, so the number of submissions could be very limited. But it will maybe leaving the other bugs (exploitable but no working exploit (yet)) behind? (I don't know if this is true as I never played in Apple's programs.). The thing is that as a vendor, you'd better fix all the bugs ASAP, because if you kill the bugs, you get a chance to kill the exploit chain which may already be in an attacker's hands. The exploit-only approach will also encourage researchers to sit on bugs (waiting someday he/she can exploit it) and this is no good for vendor security. Which is better for users' security? It's hard for me to say. "why not both" is of course better.:) Thoughts? x.com/ryanaraine/sta…

@SpecterOps Is there a copy of the slides or a recording available? :)

App-Bound Encryption isn't stopping hungry attackers from getting into the cookie jar. 🍪 Join Andrew Gomez & Antero Guy at #BSidesDenver Sept 12 to learn how threat actors are still stealing browser secrets, plus a sweet EntraID cloud pivot bonus. ➡️ ghst.ly/45Bguqx

@argvee Why MS Windows still permits trivial DLL injection when e.g. macOS has had hardened runtime available to app developers for years... developer.apple.com/documentation/…

Oof. PlugX - the malware that keeps giving.

🔺iPhone models announced today include Memory Integrity Enforcement, the culmination of an unprecedented design and engineering effort that we believe represents the most significant upgrade to memory safety in the history of consumer operating systems. security.apple.com/blog/memory-in…

@UK_Daniel_Card I think you can click on the NET::ERR and it will show you the cert.

Oh no the WiFi ……. Has been hacked….. and oh suprise….. my browser blocks the connection! Who could have imagined this would occur #Wifi #Mitm