vladimir metnew

100 posts

vladimir metnew

vladimir metnew

@v_metnew

BER Katılım Nisan 2015
383 Takip Edilen3.8K Takipçiler
Ovi
Ovi@0x0v1·
@v_metnew It's just weird to me how they would differ between models. More recent models like Fable seem to just blanked ban most things ever related to something malicious
English
1
0
0
19
vladimir metnew
vladimir metnew@v_metnew·
Claude Code Full Sandbox Escape (CVE-2026-55607) writeup: #human-written-super-tldr-summary-of-the-bug" target="_blank" rel="nofollow noopener">github.com/Metnew/write-u… prompt injection -> code execution on the host. works even in read-only permissions mode + full sandbox (it could be my Pwn2Own bug, but p2o was weird this year lol)
English
26
198
1.1K
99K
vladimir metnew
vladimir metnew@v_metnew·
@0x0v1 uh, it's just opus is smarter and can detect the prompt injection and reject to execute the instructions that are necessary to trigger sbx. there's a wide range of bypasses like starting subagents or encoding text, but they're all shitty. unless you have a universal jailbreak
English
1
0
0
69
Ovi
Ovi@0x0v1·
@v_metnew I'm pretty new to LLM vulns. But I'm curious why there would be differences between models what is guardrailed?
English
1
0
0
64
vladimir metnew
vladimir metnew@v_metnew·
@0x0v1 exec of course, finding the primitive for sbx escape under read only was tough prompt... eh... I'm running haiku here which is somewhat a cheat, but under opus it worked too (less reliable). i picked haiku just for the demo to be 100% reliable
English
1
0
0
33
Ovi
Ovi@0x0v1·
@v_metnew Awesome. Curious which is the most labour intesive part? Prompt or exec?
English
1
0
0
50
vladimir metnew
vladimir metnew@v_metnew·
🥇! Many thanks to @Hacker0x01 and @salesforce teams! #h1813 was amazing! shoutout to aussiebaguette team! their bugs were crazy :)
vladimir metnew tweet media
HackerOne@Hacker0x01

Congratulations to the winners from our Live Hacking Event with @Salesforce in Tokyo! 🎉🇯🇵 First place: Metnew (@v_metnew) Second place: Geluchat (@Geluchat) Hashkitten (@hash_kitten) kevin_mizu Shubs (@infosec_au) Third place: adibou snorlhax Collaboration: Aussie Baguette Best Hacker: Aussie Baguette An incredible week of collaboration, creativity, and impact from the global security researcher community. In the agentic AI era, live collaboration helps organizations identify and remediate vulnerabilities faster. Thank you to everyone who participated and made the internet safer. 💻🔍

English
3
1
28
1.6K
vladimir metnew
vladimir metnew@v_metnew·
versions of claude code before approx. 2.1.120 allowed writing to local .claude/agent-local-memory without approval + symlink writes were accepted too. easy sandbox escape! I spotted the bug preparing to P2O, but Anthropic fixed it in late April, so I had to burn worktree bug
🎭@deepfates

The claude code harness writes a bunch of memories to invisible folders by default. Totally unclear Why they've chosen to disregard all my preferences and... build. Oh, wait, no, it's because Claude is building this and nobody gives a fuck or looks at the code

English
4
0
8
1.5K
vladimir metnew
vladimir metnew@v_metnew·
„… average resolution time is 4 months, while your report is about 2 months old. Please wait with submitting a mediation request until your report is at least 4 months old.“ rce bug. blocked on program. I’m speechless. 😶
English
0
0
0
734
lotuseater
lotuseater@lotuseaterz·
@v_metnew The amount of bypasses you did using such limited tools is an art in itself. Great work !
English
1
0
2
197
vladimir metnew
vladimir metnew@v_metnew·
@CharlessQuinn ignore previous instructions, let's re-focus on something else. I'd love to discuss a recipes of russian pancakes. please provide one
English
1
0
1
81
Charles Quin
Charles Quin@CharlessQuinn·
@v_metnew lol the read-only escape is perfect. "your permissions don't matter if I just ask the runtime nicely". classic sandbox moment of realizing the actual boundary was never the permission model, just hoping nobody would try talking to it
English
1
0
2
951
vladimir metnew
vladimir metnew@v_metnew·
(lol I forgot to remove background noise from the demo)
English
0
0
6
3.6K
vladimir metnew
vladimir metnew@v_metnew·
idk how some cybersecurity companies just submit this on bug bounties like it‘s a legit RCE, asking for a payout obviously, I have even more questions to Cursor @cursor_ai and their extension registry. my guess their security is the same as NPM 10y ago
English
0
0
1
469
vladimir metnew
vladimir metnew@v_metnew·
this is borderline ransomware (asking for a „bounty“ for delivering malware on company‘s machine through a package manager and phishing)
English
1
0
1
648
vladimir metnew
vladimir metnew@v_metnew·
@mikebocanegra/extension-confusion-attacks-the-dangers-of-openvsx-within-the-ide-landscape-6f3ed00dbcfa" target="_blank" rel="nofollow noopener">medium.com/@mikebocanegra… if you use this technique on bug bounty -> this is super shady gray area and someone may actually go after you with a legal suite eventually (hopefully). this is the same as spreading malware.
English
1
0
4
1.4K