Microsoft is handing over Bitlocker keys to law enforcement. https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

🚩✊ Friday is Dependency Deletion Day! Today on the chopping block: whatever library you use to encode and decode Base64. Nowadays Uint8Array has built-in toBase64() and fromBase64() methods that support all the flavors you can think of: with or without padding, with or without URL safety… no more need for that crusty old dependency! Free your node_modules, use native Base64 APIs!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array/toBase64

[RSS] Firefox / WebRTC Encoded Transforms: UAF via undetached ArrayBuffer / CVE-2025-1432

https://aisle.com/blog/firefox-webrtc-encoded-transforms-uaf-via-undetached-arraybuffer-cve-2025-14321

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

@singe Right? I'm also glad we have oss-sec where these discussions can actually happen! I always recover some of my hope for humanity when Solar Designer enters even the most ridiculous thread in the most polite and level-headed way.

[RSS] Dead Ends, Red Herrings, and Failures In Our Time

https://www.hoyahaxa.com/2026/01/dead-ends-red-herrings-and-failures-in.html

(ColdFusion research #fail)

[RSS] Pwn2Own Automotive 2026 - Day Three Results and the Master of Pwn

https://www.thezdi.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn

90% of the time you don’t need a DevOps guy.

You need a C++ guy, a SQL guy, and one fat server with a lot of ram.

StackOverflow used to run on *one* SQL Server with a hot spare.

Peaked Alexa Rank #36, 10+ Million visits a day.

@mousey @jpm @Viss

@adamshostack This is the same "smell" I mention: it's likely not just Telnet, meaning that sniffing (which can absolutely happen, just not as often as e.g. admin:admin) is probably pretty low on the priority list. I've also seen higher prio bugs like this finally pushing teams to get rid of the nasty stuff altogether, but that's not always possible (vendor lock-in on critical systems yaay).

@adamshostack I've been hunting for unencrypted services (among other things) on LANs for 15+ years and Telnet is still there. Yet the only real-world incident involving network interception I can recall post-2010 is "SSL added and removed here" of Snowden fame (happy to hear about more!), while auth bypasses/RCEs are common culprits in breaches.

Telnet has an awful smell for sure, but when you sit on a smelly network, it's reasonable to ask: "would attackers actually exploit this?" A bypass like this changes the answer.

[LWN] Responses to gpg.fail

https://lwn.net/SubscriberLink/1054220/c6f98b90a009fca2/

Rust 1.93.0 now provides much more helpful error messages when associated types miss lifetimes:

Thanks again to @ekuber for picking up my original report:

https://github.com/mainmatter/100-exercises-to-learn-rust/issues/245

[RSS] Ticket to Shell: Exploiting PHP Filters and CNEXT in osTicket (CVE-2026-22200)

https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/

@codewhitesec @mwulftange Thanks for the clarification, nice work!

@buherator Our @mwulftange found the two vulns (auth bypass and rce) weeks ago and we informed the vendor. Build 9511 on 2026-01-15 patched those vulns. We updated our vuln list today after all our clients had patched their systems. Anything else happened independently.

Rust 1.93.0 has been released! 🌈 🦀✨

This release includes a new musl version for the *-linux-musl targets, adds support for #​[cfg] inside asm!(), and adds [T]::as_array, VecDeque::{pop_front_if, pop_back_if}, Vec/String::into_raw_parts, fmt::form_fn, and more! ✨

Check out the blog post and release notes for all the details: https://blog.rust-lang.org/2026/01/22/Rust-1.93.0/

JWT {"alg": "let-me-innnnn"} vuln

https://pentesterlab.com/blog/cve-2026-23993-harbourjwt-unknown-alg-jwt-bypass

TEE security breaks down in predictable ways. In our December webinar, we showed exactly where.
Jules Drean from Tinfoil walked through their threat model, covering repositories, hardware configurations, and CVM images. Our security engineers, Paul Bottinelli and Tjaden Hess, dug into vulnerabilities they've found in production TEE deployments.

Watch the full recording: https://watch.getcontrast.io/register/trail-of-bits-top-tee-bugs-you-should-fix-before-your-audit?utm_source=socials

The latest entries on @codewhitesec 's vuln list seems to be a collision with @watchTowr 's SmarterMail publication:

https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail

I'm curious about the story here!