Abdulrahman Alqabandi

Multiple, serious security vulnerabilities found in the Rust clone of Sudo — which shipped with Ubuntu 25.10 (the most recent release). Not little vulnerabilities: We’re talking about the disclosure of passwords and total bypassing of authentication. In fact, we’re getting new reports of showstopper grade issues every few days on the Rust-based clones (like sudo, du, date, and others) which were forced to ship in Ubuntu before they were fully tested. Which is, of course, *exactly* what was predicted. But, never fear! At least these Rust clones are memory safe! PHEW!

Buckle up folks, evidence of the acceleration of capabilities of hackers with agents is becoming a weekly event.

I bypassed user approvals and achieved RCE in VS Code Copilot by flipping 4 bits. Find out how: jro.sg/CVEs/copilot/ Thanks to @msftsecresponse for rapidly triaging and patching this vulnerability.

Meta is replacing WhatsApp's full-fledged native Windows 11 app with a Chromium-based web wrapper that loads WhatsApp web in a container. This is likely due to recent layoffs. Meta won't directly admit that it's killing off the original WhatsApp app for Windows 11, but a new alert within the app warns everyone will be logged out starting November 5. The warning says a few new features like Communities will be added, and an advanced Status page will be introduced. WhatsApp Web supports Communities and an advanced Status page, while UWP/WinUI native WhatsApp for Windows 11 does not support these features. WhatsApp for Windows 11 was one of the best native apps, and Meta had invested a lot in migrating the original web wrapper to native code. Now, it's going back to Chromium.

The sandbox escape vulnerability described by Kaspersky here is quite interesting. Especially in that the technical root cause of the issue bit both Chromium and FireFox developers. Other Windows apps along with OS components might well have similar vulnerabilities.

China’s Vulnerability Research: What’s Different Now? nattothoughts.substack.com/p/chinas-vulne…

LLMs are injective and invertible. In our new paper, we show that different prompts always map to different embeddings, and this property can be used to recover input tokens from individual embeddings in latent space. (1/6)

Your AI browser is here, whether you use a Mac or PC. Live now: microsoft.com/edge/copilot-m…

Arguably the most brilliant engineer in FFmpeg left because of this. He reverse engineered dozens of codecs by hand as a volunteer. Then security "researchers" and corporate employees came along repeatedly insisted "critical" security issues were fixed immediately waving their CVEs. This was hugely demotivating to the fun and enjoyment of reverse engineering.

🎉 New Course Alert + Giveaway! 🎉 I'm excited to announce a brand-new course on Rana Khalil's Academy - OAuth 2.0 Vulnerabilities. This course includes: 📚 A technical deep dive into OAuth 2.0 and OpenID Connect: what they are, how they work, the common pitfalls in implementation, the vulnerabilities that can arise, and best practices to keep your applications secure. 🧪 6 hands-on labs 📃 Subtitles in 6 languages for all the videos in this course 👉 Course Link: academy.ranakhalil.com/p/oauth-vulner… 🎁 To celebrate the launch, I’m giving away 5 FREE 30-day All-Access Memberships to the Academy. To enter the giveaway: 1️⃣ Follow @RanaKhalilAcad. 2️⃣ Comment on and retweet this tweet. Winners will be announced on the 13th of September. Good luck! 🧡

Securing @gumroad with Hacktron AI Three months ago, Hacktron was still early. @HacktronAI and @rootxharsh were finding 0-days targeting specific vulnerabilities on OSS software. Then we ran a full pentest-style scan on a big open-source project. The results were insane. 🧵

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

حياكم الله في فعالية اكسبو للالعاب الالكترونية في الافنيوز .. من تاريخ 2025-8-1 لغاية 2025-8-3 شاركت بلعبة ثعلوب للاطفال . ( ستكون في الفتره الصباحيه من 10ص لغاية 12م ) يوم السبت والاحد وايضا شاركت بلعبة المفتاح المفقود . ( في الفتره المسائية من الساعه 8م ) طوال ايام الفعاليه. @kw_nccal @OoredooKuwait

XBOW automatically runs expert-level attacks across all webapps, giving security teams unprecedented scale. @XBOW reported 1092 vulnerabilities on HackerOne in just a few months, including RCE, XXE, SQLi, SSRF, exposed secrets, and XSS.

Blind CSS exfiltration attacks recently got a lot easier! Full details in this thread:

واخيرا تم الانتهاء من تطوير لعبة ثعلوب للاطفال .. كانت رحلة مليئة بالتحدي والتعليم , والان اكتملت الرحلة وهذه هي اللعبة بين ايديكم على متاجر اجهزة الجوال . اللعبة مجانية بالكامل ولا تحتوي على اي اعلان , فهي امنة جدا للاطفال . اتمنى دعمكم بالنشر , هذا الشي يجعلني استطيع ان استمر في التطوير والبرمجة . روابط التحميل قوقل بلاي play.google.com/store/apps/det… ابل ستور apps.apple.com/us/app/thaloob… #تطوير_الالعاب #الالعاب_العربية

@garethheyes @PortSwigger @DafyddStuttard @albinowax Congrats! You've been a constant stream of inspiration and knowledge. Thank you!

Delighted to say it's my 10th year at @PortSwigger. I joined one of the best companies in the world. It's an honour to work with @DafyddStuttard and @albinowax.Thanks both for believing in me when I didn't even believe in myself. I feel proud to work with so many talented people.

Safari Tech Preview 215: Added support for Trusted Types 🎉 webkit.org/blog/16523/rel…

"This blog post aims to provide a detailed blueprint for how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities." bughunters.google.com/blog/664431627…