Over the next few months, we'll be gradually publishing some of our internal security research.
Starting with a bug chain that turns Nginx-Rift + Nginx-PoolSlip into full RCE.
More to come.
#Nginx#1day#RCE
https://t.co/tqQMFAoX9P
โผ๏ธ๐จ BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Reflecting on our Pwn2Own preparation! We developed several exploit chains during the season, and LiteLLM was just one of the many targets we tackled.
Although we had it ready, we couldn't register the
entry as the event hit its submission limit due to the high volume of participants.
I'm excited to share this technical breakdown, co-authored with @bruce30262 ๐
Read the blog here: https://t.co/ZsX5JYXPPK
Late good bye to LINE Corp, it was a great experience working as Security Engineer. Thank you my boss @jz__ and my friend @03sunf , I appreciate all the things we did. Here are some recap https://t.co/4gU8daV7or