Ivan Fratric 💙💛

The slides for my Black Hat talk "XMPP Stanza Smuggling or How I Hacked Zoom" are now available at #xmpp-stanza-smuggling-or-how-i-hacked-zoom-26618" target="_blank" rel="nofollow noopener">blackhat.com/us-22/briefing…

@julianor Details in 30 days :)

@ifsecure info leak?

CVE-2026-28920 (Apple, zlib, found by Brendon Tiszka of Google Project Zero) sure looks fun :)

Turns out adapting our 0click chain to work on Pixel 10 wasn't that hard... at least if you're into Android drivers as much as @__sethJenkins.

.@__sethJenkins updated our 0-click exploit chain to work on a Pixel 10 with an eye-popping driver bug! We’ll be presenting this work Saturday @offensive_con projectzero.google/2026/05/pixel-…

The fuzzer that found project-zero.issues.chromium.org/issues?q=compo… (and a number of issues prior to that as well) is now open-source: crrev.com/c/7580844 It uses pkeys, trap-handling and single-stepping to intercept and mutate in-sandbox reads (see trap-fuzzer.h). Definitely had fun writing it!

Just derestricted a now-fixed kernel bug in Pixel 10. I think this ranks as the most easily exploited kernel bug of all time😬 Thanks to @tehjh for collab'ing on this driver and full credits for noticing this bug in the first 5 minutes of auditing😂 project-zero.issues.chromium.org/issues/4634382…

@cl4sm Yes, exactly, coverage is poor aproximation for state. I don't think better state approximation and mutational fuzzing are mutually exclusive, mutational fuzzer benefits from better state.

@ifsecure Cool blog! The first problem feels like an issue with coverage being a poor approx. for program state. But approaches like IJON haven’t seen much success AFAIK in the real world. Do you think prob 1 gets fixed with better state approx or is the mutational fuzzer still needed?

I wrote a short blogpost on the quirks of grammar fuzzing (and, more generally, structure-aware fuzzing) and a simple trick I used to get more bugs out of it more quickly. projectzero.google/2026/03/mutati…

Jackalope and Tinyinst have been working on arm64 macs for a while, but now you should also be able to run against arm64e binaries (i.e. binaries that ship with the os) with some modification to the system. For details, see github.com/googleprojectz…

In the final part of his blog series, @tiraniddo tells the story of how a bug was introduced into a Windows API. Code re-writes can improve security, but it’s important not to forget the security properties the code needs to enforce in the process. projectzero.google/2026/02/gphfh-…

How a single feature was responsible for 5 Windows Administrator Protection bypasses, in a new Project Zero blog post by @tiraniddo

Part 2 of @tiraniddo’s Windows Administrator Protection journey is here! projectzero.google/2026/02/window…

New Project Zero blogpost by @dillon_franke on exploiting a coreaudiod bug on macOS. Quite a journey with a lot of unexpected roadblocks and how Dillon pulled it off in the end. projectzero.google/2026/01/sound-…

Windows Administrator Protection is set to replace UAC, but as a supported security boundary. James Forshaw breaks it down in a new Project Zero blogpost. The blogpost features a tricky bypass that leverages multiple subtle Windows kernel quirks.

New Project Zero blogpost series describing a 0-click exploit chain targeting Pixel 9, featuring a Dolby decoder bug spotted by yours truly.

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices. projectzero.google/2026/01/pixel-…

Project Zero has a new blog at projectzero.google and boy, do we have some some great content in store. For now, you can read two never published drafts as well as a guest post from Benoît from Threat Intelligence Group with an indepth analysis of an Android 0click exploit.

We launched a redesigned Project Zero website today at projectzero.google ! To mark the occasion, we released some older posts that never quite made it out of drafts. Enjoy!

📢📢📢 Our Patch Rewards Program rules were updated to explicitly encourage batched submissions, and place every Google-filed OSS vulnerability explicitly into scope (thanks for your feedback). Interested in getting rewarded for your awesome OSS security work? g.co/prp

An analysis of a recent 0-click exploit targeting Samsung devices: googleprojectzero.blogspot.com/2025/12/a-look…