Positive Security

We looked at the internals of JavaScript/TypeScript's most popular utility libraries and found interesting issues. The post contains hacking challenges/live demos. We recommend checking it out if you work with the affected libraries. positive.security/blog/lodash-ra…

The company operating this system has threatened us with lawsuits and (now publicly) denies the risk

The system is also used for street lamp control, allowing for a scaled-up “Project #Blinkenlights” art installation that transforms an entire city into a screen (for astronauts)

At #38c3, we presented our #BlinkenCity research, which started as a fun art project idea, and ended up as a plausible European #blackout scenario. youtube.com/watch?v=DAf-T3… Details: positive.security/blog/blinkenci…

The Auto-GPT team has now also published GitHub security advisories and reserved CVE numbers: - github.com/Significant-Gr… - CVE-2023-37273, CVE-2023-37274, CVE-2023-37275

We leverage indirect prompt injection to trick Auto-GPT (GPT-4) into executing arbitrary code and discovered vulnerabilities that allow escaping its sandboxed execution environment. positive.security/blog/auto-gpt-…

Our article on DIY AirTags is now also available in German! Zu finden im @MakeMagazinDE (1/2023) und @mac_and_i (2/2023)

Fabian was interviewed (in German) by Deutschlandfunk about the new tracking protection standard by Google and Apple (featuring a "backdoor" near-owner bit) deutschlandfunk.de/zwielichtig-di…

@rchase Yes, we ended that experiment after 5 days (as a tracking alert should have been triggered within that time frame) and then published the blog post

@positive_sec Great research thanks for sharing! I don't think you mentioned why it stopped working after 5 days - did you just end the experiment, did it run out of power, did it run out of public keys etc?

We built a stealth AirTag clone that is not detected by Apple’s tracking protection. It works by only sending one beacon per generated public key. positive.security/blog/find-you

The popular Ruby library "Ransack" can be abused to exfiltrate sensitive data via character by character brute-force. We compromised multiple applications this way and found hundreds more that could be vulnerable. positive.security/blog/ransack-d…

@aroly Did you try Xubuntu 20.04? That's where we had successfully tested the auto-mount (in default config). Also make sure to have anonymous access enabled for the NFS share/server to be able to use the nfs:// URL as shown in the thumbnail without username/password.

The latest @make magazine features an article of ours on "DIY #AirTags". It contains: - Brief explanation of the Find My protocol - Introduction of @seemoolab's OpenHaystack - Summary of our research (Send My & Find You) - Example use cases for such (enhanced) DIY trackers

urlscan.io leaks API keys, shared documents, password reset links, team invites, and other sensitive data. We identified one culprit to be other security tools that accidentally make their scans public and put their users at risk. positive.security/blog/urlscan-d…

The exploit files and demo application are available here: github.com/positive-secur…

An unpatched vulnerability in the popular dompdf PHP library allows for remote code execution via a malicious font+PHP polyglot file. positive.security/blog/dompdf-rce

We present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved) positive.security/blog/video-dep…