just had an interesting realization: one of the reasons people struggle to understand template injection in GHA is probably because lines like this:

```
echo "hello: ${{ expr }}"
```

...get lexed mentally as "variable expansion, followed by Jinja template."

in other words, people think the `$` comes from the shell and the `{{ }}` is the template syntax, and therefore the entire thing is quoted correctly.

in reality of course the entire `${{ .. }}` is template syntax, and has nothing to do with shell quoting/expansion rules. but `$` is mentally overloaded!

i wonder how much easier this would be to teach people if GitHub had chosen `@{{ ... }}` or even just `{{ }}` as their template syntax instead.

#security #opensource

🎉Announcing the latest research from our intern Michael Pastor! In it, you'll learn all about Decompression Attacks, get to practice in custom-built labs and get some free Semgrep rules for detecting flaws. Check it out today!

https://blog.doyensec.com/2024/12/16/unsafe-unpacking.html

#appsec #doyensec #semgrep

I have posted the slides for the talk @chompie1337 and I gave this past weekend at @h2hconference -> The Kernel Hacker’s Guide to the Galaxy: Automating Exploit Engineering Workflows #H2HC

https://github.com/FuzzySecurity/H2HC-2024/blob/main/H2HC2024_The_Kernel_Hackers_Guide_to_the_Galaxy.pdf

Google is trying to jam "AI" into all of their products but an interesting element of the way they integrated it into Android Messages is "Gemini" shows up as a conversation, which means it is actually possible to block and report it to Google as spam

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED BUT REPULSIVE", "WRONG BUT WROMANTIC", "FREQUENTLY MISUNDERSTOOD", "NOBODY BOTHERS WITH THIS BIT", "SHOULDN'T REALLY BUT WE WON'T JUDGE", "REQUIRED IN ORDER TO WORK AROUND EVERYONE ELSE'S BUGS", "YOU DO YOU", and "OBVIOUSLY ABSURD BUT VERY COMMON FOR SOME REASON" in this document are to be interpreted as described in RFC 2119.

NEW: Amnesty International has documented two cases where Serbian authorities used Cellebrite to unlock the phones of a journalist and an activist.

And then they installed spyware on the devices.

In a way, this is a return to the old days of government spyware, where remote attacks were rare and impractical, and cops needed to get their hands on target's computers.

https://techcrunch.com/2024/12/15/serbian-police-used-cellebrite-to-unlock-then-plant-spyware-on-a-journalists-phone/

Platform.sh team finds auth bypass in Go SSH package https://platform.sh/blog/uncovered-and-patched-golang-vunerability/

as a sysadmin this so much. It’s one thing to say “oopsie something went wrong” and provide a button for the professionals to see where it went wrong and it’s another to just not provide any diagnostic information so I get to debug a black box.

#shitpost

Just returned from #BHEU. I presented my research on how server-side HTML sanitization is a security nightmare due to the mess that is HTML parsing.

If you are interested in learning more on that topic, please check out the following resources:
Github: https://github.com/ias-tubs/HTML_parsing_differentials
Our S&P '24 Paper: https://www.ias.cs.tu-bs.de/publications/parsing_differentials.pdf
Slides will be available shortly.

Or get in touch :)

Huge thanks to @BlackHatEvents, @InfosecVandana, and all the other great folks who made this such an amazing experience.

🍿🍿🍿
https://youtu.be/6hVe_spuJQI

Good and interesting presentation by Joe Bialek:

Pointer Problems – Why We’re Refactoring the Windows Kernel:

https://t.co/Qwz0zk3CLH

#microsoft #windows #kernelsecurity #programming

Important news: Microsoft is working to bring SMAP into Windows

https://bird.makeup/@ale_sp_brazil/1868496728275452261

#ai #infosec #InfosecMemes

It's one thing that educated people think that using parrots on acid to generate headlines is a good idea. What's terrifying is that people try to spare the work of writing 3 short sentences.

https://www.bbc.com/news/articles/cd0elzk24dno

Why every app icon has to be blue?

Can you find an ITW 0-day from crash logs? Project Zero finds out

https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html

Yearlong supply-chain attack targeting security pros steals 390K credentials https://arstechnica.com/security/2024/12/yearlong-supply-chain-attack-targeting-security-pros-steals-390k-credentials/

Looking at legacy NeXT source:

https://github.com/johnsonjh/NeXTSrc/blob/ff846608a76ab2fbbb86e8a14c52ac85332f9786/libc-34.1/libc/gen/execvp.c#L34

Quoting from the OS X man page for execvp():

"Historically, the default path for the execlp() and execvp() functions was ``:/bin:/usr/bin''. This was changed to place the current directory last to enhance system security."

#noshitsherlock, #codereview, #appsec, #sdlc

- There are lots of things worse than movies: politicians, wars, forest fires, famine, plague, sickness, pain, warts, politicians...
- You already mentioned them.
- I know I did. They are twice as bad as anything else.

https://m.imdb.com/title/tt0107362/?ref_=ttqu_ov

JOURNALISM 101 RULE: If someone says it’s raining, and another person says it’s dry, it’s not your job to quote them both. Your job is to look out of the fucking window and find out which is true. — Now more than ever.