Discussions about information security and privacy

Main

infosec

"And you know they don't give a shit because none of those leaks were caused by some nation-state-sponsored l33t h4x0r deploying the latest and greatest exploits. This was some rando with a Python script."

"And you know they don't give a shit because none of those leaks were caused by some nation-state-sponsored l33t h4x0r deploying the latest and greatest exploits. This was some rando with a Python script."

https://crankysec.com/blog/savvy/

Feels so good to interact with the infosec community as a whole, I cant imagine why we have bad reputation as not being welcoming!

https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/ pretty interesting using cross device sign in ( https://www.passkeycentral.org/design-guidelines/optional-patterns/cross-device-sign-in ) to bypass fido2 hurdle, effectively turning the hardware token into QR code and asking the user to scan it

CoverDrop: a secure, anonymous, and usable method of establishing initial contact between journalists and sources embedded in a set of extensions to a typical news app.

CoverDrop: a secure, anonymous, and usable method of establishing initial contact between journalists and sources embedded in a set of extensions to a typical news app. https://www.coverdrop.org

Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story:

makes one wonder about every derailment
https://x.com/midwestneil/status/1943708133421101446?t=zQIxZ3HSqJ0bre7WcqSDOQ&s=19

Just spent a tortuous hour sorting out Microsoft Authenticator / OneDrive security. An absolute nightmare! This is not how security is supposed to work. 😠

"BitChat illustrates a common pattern: it's fun to break ground and rewrite a path as if it's new, but cryptography and trust is treacherously easy to get confused about and notoriously difficult to write cleanly and securely due to fundamental security oversights and implementation issues."

"BitChat illustrates a common pattern: it's fun to break ground and rewrite a path as if it's new, but cryptography and trust is treacherously easy to get confused about and notoriously difficult to write cleanly and securely due to fundamental security oversights and implementation issues."
https://www.supernetworks.org/pages/blog/agentic-insecurity-vibes-on-bitchat

A critical in git released yesterday that can be triggered by git clone of untrusted repo. That's the dream vector to pwn auditors and steal their bounties / audit money. Patch your systems before quoting any new clients! And expect visitors in your inbox in coming weeks... https://t.co/Kp8DaJQXCm

Time to update your git installs https://x.com/trust__90/status/1942987496335224881

any discussion of "singularity" or runaway self-improvement is not theoretical.

we have exploit response time, and it is self-evidently lagging.

.@circle USDC freeze response time is an absolute joke

GMX exploiter address at some point held $30M in USDC and keeps swapping tokens for USDC with no blacklisting in sight

address holds $4.3m USDC right now

its been more than 1h since the exploit took place https://t.co/3iGmCyI2Kf

any discussion of "singularity" or runaway self-improvement is not theoretical.

we have exploit response time, and it is self-evidently lagging.

https://x.com/0x_ultra/status/1942949449572983222

aw, big brother facetime is gonna be looking for my ass 🍑😑

aw, big brother facetime is gonna be looking for my ass 🍑😑
https://9to5mac.com/2025/07/02/facetime-in-ios-26-will-freeze-your-call-if-someone-starts-undressing/

. @zachxbt : A suspicious address received 193 small withdrawals in a 1.5 hour period from @coinbase for 1.67M USDC total on June 23, 2025 and swapped all funds for ETH and deposited it to Tornado Cash.

0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f https://t.co/67CRH5Oi5Y

https://x.com/officer_cia/status/1938975393865990428

uh oh
https://x.com/officer_cia/status/1936192250385723537
stay safe
h/t @officercia

Initially spotted by @Auri_0x !

https://t.co/XYAPVvsY8B requesting this json file from ''https://t.co/OjYbR0nvdD'' regged recently on namesilo, ''https://t.co/mhlEjX5M4e''

loads 'https://t.co/AzNa3gYIJe' which has the drainer popup

https://t.co/9IwK70ov5R https://t.co/spVPjasY0p

For those worried about the "16 billion password leak"

No.

Someone took a bunch of existing leaks, threw it all together, and slapped a NEW stick on it.

For those worried about the "16 billion password leak"

https://x.com/vxunderground/status/1935759256244174928?t=F3VyXqrDSArRP-dDSXkUpw&s=19

ETHSecurity Community

16 billion passwords from your Apple, Google, Instagram, Facebook, GitHub, and Telegram accounts have hit the web, Forbes writes…

The giant data sets contain billions of logins and passwords from social networks, VPN services, developer portals, and accounts of large companies. It is noteworthy that almost all of this data has not previously appeared in known leaks - except for the database with 184 million passwords.

Time to change your password!

https://www.forbes.com/sites/daveywinder/2025/06/19/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

personally, I'm picturing a mushroom cloud and waiting for the ash to settle.

nobody knows the extent to which this can be deduced into nth-order compromise.

RISC Zero Security Disclosure

A missing constraint was recently discovered in the rv32im circuit. This issue affects any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2.

This vulnerability was reported by Christoph Hochrainer via

will RISC-V ever be secure as a zkVM?
https://x.com/RiscZero/status/1935404812146725042?t=qRlZWaTmgWF8KxyCfj2fcA&s=19