Let's talk about xPal, which purports to be an encrypted messaging app. https://xpal.com

Anyone that reads my blog probably already knows where this is going.

If this post accidentally reaches escape velocity and people that don't know me find it: Hi, I'm a furry cryptography nerd. Usually when I talk about so-called private apps, it's to disclose vulnerabilities in them.

(Today, I just don't have the damn energy to do a formal write-up.)

Let's start with how they market their app.

Interesting AI Act case in Europeaj Court of Justice may decide if just about any algorithms, including non-AI ones, are subject to the AI Act (regulation about Artificial Intelligence). It would be a fascinating expansion of the regulation applications. https://curia.europa.eu/juris/showPdf.jsf?text=&docid=298104&pageIndex=0&doclang=PL&mode=lst&dir=&occ=first&part=1&cid=12213338

Russia is quietly rewriting reality — but not through tanks or troops, but by feeding disinformation and propaganda into the tools people may increasingly trust to understand the world: AI chatbots. It's gaming of the system, feeding propaganda in ways that people might never know what’s happening. Efforts to influence chatbot results are growing, as former SEO marketers now use "generative engine optimization" (GEO) to boost visibility in AI-generated responses https://www.washingtonpost.com/technology/2025/04/17/llm-poisoning-grooming-chatbots-russia/

i'm very excited about this new work my team at @trailofbits is doing: we're building an ASN.1 API for PyCA Cryptography, giving users direct access to the same memory-safe, high-performance DER parser that Cryptography already uses for X.509:

https://blog.trailofbits.com/2025/04/18/sneak-peek-a-new-asn.1-api-for-python/

Project: mpengine-x64-pdb 1.1.24090.11
File: mpengine.dll
Address: 75a287bec

yy_destructor

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a287bec.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fmpengine-x64-pdb%2F75a287bec.json&colors=light

A blog explaining V8 Parser Workflow with a case study by w1redch4d

https://w1redch4d.github.io/post/parser-workflow/

Exploiting the Nespresso smart cards for fun and profit coffee

https://pollevanhoof.be/nuggets/smart_cards/nespresso

"Here, take a Lua ruler! It starts with 1!" #mch2022

Very good thread from @inthehands, LLMs cement the patterns of today and actual engineering and long-term problem solving require slow careful iteration and improvement.

https://hachyderm.io/@inthehands/114373816449701933

A thought experiment: what would code look like today if we’d had the best AI of today, but only the programming languages of 1955? Would it even be •possible• to build an iPhone??

And what if the coming Vibe Coding Future is (as I believe) preposterously oversold? Then we have a generation of developers who’ve avoided doing the kind of wrestling with problems one has to do to find one’s way to engineering improvements.

9/

WHY2025 is calling for art. Neon. Space. Synthwave. Light. Interactive magic. Show us what you’ve got. 🌌
→ https://why2025.org/post/318
#WHY2025 #ArtCall #HackersMakeArt

Attackers can use MCP servers to hack your system before tools are invoked.

We call this attack vector "line jumping." This is a critical vulnerability in which tool descriptions become prompt injection vectors during the initial tools/list request. This technique bypasses invocation controls, breaking connection isolation and rendering security checkpoints ineffective.

Even "human approval" fails: AI-enabled IDEs permit automatic execution, and users rarely recognize disguised malicious commands.

Read the blog: https://blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/

There is quite a bit of buzz related to CVE-2025-24054 which covers attackers causing victims to leak NTLM hashes if they open certain files or view certain directories. In short, this forces victims running Windows to make a connection to an attacker controlled SMB share.

If you prevent SMB traffic from leaving your networks then you don't have to worry about this unless the attacker has already setup shop in your network. Like, patch anyway but, IMO, it would be a better use of your time to ensure that outbound SMB is blocked first. Don't forget to account for mobile devices that are off-network.

#Security #Windows