1.2K posts

@[email protected]

@SecurityMB

Improving the world’s security at Google. Opinions are mine.

Zurich, Switzerland Tham gia Eylül 2014

284 Đang theo dõi11K Người theo dõi

Tweet ghim

@[email protected]@SecurityMB·15 Haz

Finally, my research is published. It has everything you might wish for in browser security: universal XSS, mutation XSS, CSS data exfiltration, and others. Check this out! In a few days, we'll also release a 30-minute presentation about this topic.

Securitum@securitum_com

We are publishing the research of Copy&Paste issues in browsers by @SecurityMB. Over $30k in bounties for bugs in Chromium, Firefox, Safari, Google Docs, Gmail, TinyMCE, CKEditor, and others. Includes also 0-day in Froala. research.securitum.com/the-curious-ca…

English

113

405

@[email protected]@SecurityMB·7 Mar

That must be the worst captcha I’ve ever seen.

@securitymb@infosec.exchange tweet media

English

801

@[email protected]@SecurityMB·24 Oca

That was a nice bug, thanks for the shoutout!

Intigriti@intigriti

2️⃣ XSS in GMail's AMP4Email via DOM Clobbering Michał Bentkowski (@SecurityMB) exploited DOM clobbering to achieve XSS in Gmail's AMP4Email feature. Found that AMP4Email allowed id attributes, which could be leveraged to overwrite JavaScript variables and bypass Google's strict security filters. research.securitum.com/xss-in-amp4ema…

English

1.9K

@[email protected] đã retweet

Jun Kokatsu@shhnjk·4 Oca

Why the "Agents Rule of Two" is flawed shhnjk.substack.com/p/why-agents-r…

English

2.1K

@[email protected]@SecurityMB·31 Ara

@gridogram I forgot to play gridogram yesterday. Is there an option to play yesterday's puzzle?

English

439

@[email protected] đã retweet

Ark@arkark_·26 Ara

Cross-Site ETag Length Leak blog.arkark.dev/2025/12/26/eta… I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)

English

359

40.6K

@[email protected]@SecurityMB·19 Ara

@canva Ah, it's probably from the old leak: haveibeenpwned.com/Breach/Canva

English

838

@[email protected]@SecurityMB·19 Ara

Has there been some email leak from @Canva? Just got a spam message for an email used only for Canva.

English

1.9K

@[email protected] đã retweet

Natalie Silvanovich@natashenka·17 Ara

We launched a redesigned Project Zero website today at projectzero.google ! To mark the occasion, we released some older posts that never quite made it out of drafts. Enjoy!

English

367

45.9K

@[email protected] đã retweet

Google VRP (Google Bug Hunters)@GoogleVRP·12 Ara

Interested in the security of AI Agents 💁🛡️? Then you've likely heard of "prompt injection", but do you know what "task injection" is? If you're curious, check out our latest post for a description and some real-world examples we discovered. bughunters.google.com/blog/482385717… bughunters.google.com/blog/482385717…

English

285

31.8K

@[email protected] đã retweet

Rebane@rebane2001·4 Ara

my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3 lyra.horse/blog/2025/12/s…

English

438

39.4K

@[email protected]@SecurityMB·12 Kas

@sephr Exploiting bentkowski.info/2022/11/google…

Français

🕊@sephr·12 Kas

what's a good use case for this outside of anti-fraud?

English

105

🕊@sephr·12 Kas

update: confirmed. you can detect with some certainty whether the current code running was as a result of devtools console input in Chrome. the final CallSite frame will usually look something like this

🕊@sephr

pretty sure you could use the CallSite.isToplevel API in Chrome to automatically detect and react to users entering code in the devtools console

English

254

@[email protected] đã retweet

Nowasky@nowaskyjr·28 Eki

JavaScript’s lexer ambiguity in action. Might fool you and some weak parsers. Demo: jsfiddle.net/yo0a24dj/

English

205

40.1K

@[email protected] đã retweet

terjanq@terjanq·18 Eyl

We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂! bughunters.google.com/blog/671552987…

English

197

17.2K

@[email protected] đã retweet

Google VRP (Google Bug Hunters)@GoogleVRP·18 Eyl

Rendering untrusted web content is fraught with security risks 🕸️ 🛡️. Read how SafeContentFrame, a new TypeScript library, offers a robust solution for isolating web content and protecting against threats like XSS and side-channel attacks. goo.gle/3K5DRQJ

English

102

8.3K

@[email protected]@SecurityMB·7 Ağu

@RenwaX23 @kinugawamasato @Google In this case I fixed the bug myself, which anyone can do for Chromium 😀 there’s even a Patch bonus #patch-bonus" target="_blank" rel="nofollow noopener">bughunters.google.com/about/rules/ch…

English

314

Renwa@RenwaX23·7 Ağu

@SecurityMB @kinugawamasato I should get @google.com email and report my VRP bugs with it for fast triage and patch from now on.

English

334

Masato Kinugawa@kinugawamasato·3 Ağu

community.brave.com/t/bug-brave-un… yikes, Brave's HTML serialization seems really broken <div id=x><span x="aaa>&bbb"></div> <script> x.innerHTML=x.innerHTML; alert(x.innerHTML)// <span x="" aaa="">&bbb"></span> </script>

English

160

22.6K

@[email protected]@SecurityMB·7 Ağu

@kinugawamasato The bug is now fixed!

English

547

@[email protected]@SecurityMB·3 Ağu

@kinugawamasato So it's actually a bug in Chromium 😔 crbug.com/435995566

English

4.5K

@[email protected]@SecurityMB·5 Ağu

@matmul Not sure if it's widely used in the industry but Google's "Go style decisions" explicitly require such comments to start with the function name. #doc-comments" target="_blank" rel="nofollow noopener">google.github.io/styleguide/go/…

English

219

suraj@matmul·5 Ağu

ai is a true ocd helper

Français

2.6K

@[email protected]@SecurityMB·3 Ağu

@kinugawamasato My assumption is that they're doing some sort of match-and-replace on the HTML. The reason why I think so is that you get different results for `<div title="a>""></div>` and `<div title="a>"">` (missing end tag). This shouldn't affect start tag parsing.

English

441

Masato Kinugawa@kinugawamasato·3 Ağu

@SecurityMB true. This only seems to happen when parsing is triggered via JS APIs. doc=new DOMParser().parseFromString(`<span x="asdqwe>&">z</span>`,'text/html'); alert(doc.body.innerHTML)//<span x="" asdqwe="">&">z</span>

English

1.4K

Khám phá

@gridogram @canva @sephr @RenwaX23 @kinugawamasato @Google @google @elonmusk