Chai Yichen

Today we're releasing hpke-ng: a clean-slate Rust implementation of HPKE (RFC 9180) and a drop-in replacement for Cryspen's hpke-rs, the subject of our critical nonce reuse vulnerability discovered in February. Faster, smaller and more hardened than hpke-rs across every metric.

Advanced LLMs have really made plenty of fools look smart. Emphasis on "look smart", it's not too hard to see through it

With @Hacker_Chai we just published our second blog post on Samsung security research! This one is about a local arbitrary APK install in Galaxy Store, combining a few vulns like a broken signature check, a file write, etc. Check it out here: bugscale.ch/blog/here-we-g…

To those interested, I mainly focus on the memory corruption side of vulnerability research / exploit dev, but after this Samsung stuff I also have a bit of experience with Android (i.e. Java, JNI, binder etc.)

From the looks of it, cloud gaming (i.e. games running on the cloud, streamed to your phone) may be coming in future for Samsung phones 👀. Idk what it's like now, but more stuff is being added

Our second blog post is out here: bugscale.ch/blog/here-we-g… ! We managed to install arbitrary APKs on the Samsung Galaxy S25 from an app without install permissions. For this, @SachaKozma did most of the work, but it was great looking into Samsung's cloud gaming component with him

Credit where credit is due. freebsd.org/security/advis… and freebsd.org/security/advis… look much more interesting

*free and pointer discarding. The dangling pointer exists for a fleeting moment during packet processing before it's gone. You'd think that's a memory leak then, but the ptr if not freed then is freed somewhere else, iirc. mbufs are kinda cool and my memory's hazy

Sadly, this one's probably unexploitable; couldn't find a way to extend the gap between free and realloc, and FreeBSD's UMA allocator is not a fan of zone crossing, which means we most likely can only replaced the dangling mbuf ptr with another mbuf

Revising this UAF I found a while back in FreeBSD's pf firewall: cgit.freebsd.org/src/commit/?id… . Unlike some who find bugs in components nobody has touched for years with Claude and parade them around like they've found the bug of the century, we find bugs in code people actually use

*Revisiting dammit iOS

Did I mention I still have a remote kernel panic against all FreeBSD Wi-Fi users (again probably quite little). You're connected to Wi-Fi, receive my wireless frame, bam, panic. Marked duplicate (the previous guy barely had a PoC), not fixed

I know these stuff are old news, but I just recalled some of the minor bugs I found in FreeBSD in the past. If I had a PR team, each of these could be an "impressive find in a highly secure OS"

Sure hope money in banks are safe with the FCA's wonderful talents

Check out my GOAT Sacha at @SachaKozma and go follow him! His blog is at blog.cdthoughts.ch !

@leonjza @bugscale @1ns0mn1h4ck @SachaKozma Thank you for coming, glad you liked it!

@bugscale @1ns0mn1h4ck @Hacker_Chai @SachaKozma Thank you for this talk. Your presentation style was fantastic, as was the content!

If you missed the talk at @1ns0mn1h4ck , our latest blog post is now available for you to explore. In this post, researchers @Hacker_Chai and @SachaKozma detail their journey to a 1-click RCE exploit on the Samsung S25 phone. Check it out here: bugscale.ch/blog/shoot-for…

Proud to have published the first ever report to qualify for Samsung's Important Scenario Vulnerability Programme (ISVP)! @SachaKozma @bugscale security.samsungmobile.com/securityPostDe…

Yay @bugscale @SachaKozma: security.samsungmobile.com/serviceWeb.smsb