I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.

tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!

https://words.filippo.io/csrf?source=Mastodon

"Orion Browser for Linux Gets Exciting Progress Update" 👇

https://www.omgubuntu.co.uk/2025/08/orion-browser-linux-milestone-2-webkit-alternative-chromium

#Kagi #Orion #Browser #Linux

sev:HIGH LPE in linux-pam.

https://access.redhat.com/security/cve/CVE-2025-8941

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

[RSS] From Support Ticket to Zero Day (CVE-2025-8356, CVE-2025-8355 - Xerox FreeFlow Core)

https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/

WTAF????? https://www.bleepingcomputer.com/news/microsoft/microsoft-asks-users-to-ignore-certificate-enrollment-errors/

Here's the full writeup of CVE-2025-53773 - Visual Studio & Copilot – Wormable Command Execution via Prompt Injection: https://www.persistent-security.net/post/part-iii-vscode-copilot-wormable-command-execution-via-prompt-injection

Patch now!

I had a great time at the most excellent #why2025 camp! Here a write-up of my own #DNA talks (with links to video & annotated slides), some observations on the tremendously terrible state of security & regulation, and what we could do about it, plus some nice photos!
https://berthub.eu/articles/posts/dna-talks-and-why2025/

Frame 146,183 of 207,800

To prevent further frustration from forgotten tricks I brain dumped the less-than-obvious stuff that I can remember from #Ghidra development in my brand new Ghidra Dev Cheat Sheet:

https://scrapco.de/ghidra-cheat-sheet/

PR's and suggestions are most welcome!

TIL about Operation Midnight Climax

https://en.wikipedia.org/wiki/Operation_Midnight_Climax

This is a totally valid unit for any CI pipeline!

RE: https://chaos.social/@weirdunits/115020402704312177

[FD] PlayReady Activation protocol issues (weak auth / fake client identities)

https://seclists.org/fulldisclosure/2025/Aug/3

"PlayReady Activation service does not implement real authentication, but
some form of obfuscated identification scheme [...] Arbitrary PlayReady identity can be requested by the client through public API" and more...

this is uh.
something.

perplexity is offering twice its valuation to buy chrome off google?

strong "run the fuck away" vibes
https://arstechnica.com/gadgets/2025/08/perplexity-offers-more-than-twice-its-total-valuation-to-buy-chrome-from-google/

Proud moment. The 40th anniversary @phrack release was a full success. We gave away 12,000 full color 150pg printed zines for free across three different conferences and did the final main stage talk before closing. l covered the history of phrack and did some panel questions.

FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970) https://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970

has anyone ever made a man page viewer which shows you a table of contents for the man page so you can easily navigate through the sections?

(please do not tell me about `info`)

CVE ID: CVE-2025-8088
Vendor: RARLAB
Product: WinRAR
Date Added: 2025-08-12
Notes: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5 ; https://nvd.nist.gov/vuln/detail/CVE-2025-8088
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-8088

We've managed to make it through hacker summer camp, and #Microsoft and #Adobe survived enough to deliver their latest security patches. Join @TheDustinChilds as he breaks down another large Patch Tuesday release. https://www.zerodayinitiative.com/blog/2025/8/12/the-august-2025-security-update-review