“jemalloc Postmortem” https://jasone.github.io/2025/06/12/jemalloc-postmortem/

ominous voids per byte

Today we published two blog posts about an HTML specification change that makes mutation XSS harder to exploit! Long story short: `<` and `>` are now escaped in attributes.

* Blog post about security rationale behind this change: https://bughunters.google.com/blog/5038742869770240/escaping-and-in-attributes-how-it-helps-protect-against-mutation-xss
* Blog post about how it affects web developers: https://developer.chrome.com/blog/escape-attributes?hl=en

Big update: The Internet Archive has launched a new version of GifCities, the search engine for vintage GeoCities GIFs. It's now easier to explore the glitter, chaos, and charm of early web animation.

Search better. Share better. Blink more.

Learn more: https://blog.archive.org/2025/06/09/keep-on-gifin-a-new-version-of-gifcities-internet-archives-geocities-animated-gif-search-engine/

NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.

This is the iPhone zero-day used against the two European journalists targeted with Paragon spyware, according to Citizen Lab.

It's unclear why Apple did not publish information about this zero-day until today.

https://techcrunch.com/2025/06/12/apple-fixes-new-iphone-zero-day-bug-used-in-paragon-spyware-hacks/

Meta launched a stand-alone AI app and now it is full of sensitive content from Facebook users who appear to be unaware that they have made their conversations public: https://www.businessinsider.com/mark-zuckerberg-meta-ai-chatbot-discover-feed-depressing-why-2025-6

Forget about whether 100 men would win against 1 gorilla... the real question is how would 100 CISSP's fare against a gorilla?

@TarkabarkaHolgy @SimonRoyHughes I bet this was a prank that got out of control and made it into literature

@TarkabarkaHolgy Calling in the Mythbusters!

🆕 New blog post!

"Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck"

This blog post is not so much about PrivescCheck in the end, but rather brings additional insight to the original article published by MDSec on the subject.

👉 https://itm4n.github.io/checking-symantec-account-credentials-privesccheck/

#redteam #research #pentest #pentesting

@giocomai @LukaszOlejnik Also, the linked graphic speaks conditionally, and its source is unclear...

I wonder if there are tried and tested guides about _documenting_ deceptive technologies deployed in a system?

Trivially this would be something like "srv01:443 is a canary, don't decommission", but of course if the attacker sees this first, that's a problem.

/cc @haroonmeer

When we throw up our hands and say none of it matters, we're doing the fascists’ work for them. They don't need to hide their corruption if they can convince us it's pointless to look. They don't need to silence truth-tellers if we've already decided truth is meaningless.

https://www.citationneeded.news/it-matters-i-care/

@bradlarsen My rule of thumb is that LLM's are useful if results are cheap to verify. When it comes to development this mainly means one-off utils/prototypes/PoC's.

[RSS] X41 Audited Ruby on Rails

https://x41-dsec.de/security/research/job/news/2025/06/11/ruby-on-rails/

[RSS] Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck

https://itm4n.github.io/checking-symantec-account-credentials-privesccheck/

[RSS] Streaming Zero-Fi Shells to Your Smart Speaker

https://blog.ret2.io/2025/06/11/pwn2own-soho-2024-sonos-exploit/

[RSS] Why Was Nvidia Hosting Blogs About 'Brazilian Facesitting Fart Games'?

https://www.404media.co/spam-blogs-ai-slop-domains-wowlazy/

Instant reshare!

“Localhost tracking” explained. It could cost Meta 32 billion. https://www.zeropartydata.es/p/localhost-tracking-explained-it-could