Olivia
Online
Marc Smeets
@MarcOverIP
Does a thing or two with red teaming @OutflankNL | part time race and drift car instructor
Tweets in NL & EN
Joined July 2009
500 Following
4.7K Followers
23.9K Posts
You only think about yourselves.
@0xTriboulet https://t.co/mOaFLhNvGc
The Saint Petersburg International Economic Forum of 2026 (SPIEF 2026) in Russia has started with a very fiery keynote speech by the Ukrainian surprise guests.
@UID_ Echt he?!
I wanted to address the speculation about the recently introduced Device Bound Session Credentials (DBSC) security feature in Google Chrome.
Does it help increase the security of session cookies against infostealer malware and MFA phishing?
The feature has been available and enabled by default since the Chrome 146 update (April 2026), if you're running Windows with a hardware-backed TPM security module (macOS support is coming in future updates).
DBSC allows the browser to upgrade session cookies from long-lived to short-lived, requiring the browser to refresh them approximately every 10 minutes to maintain access to the user's account.
> Does DBSC prevent account takeover by threat actors using a stolen session cookie obtained from the user's browser via infostealer malware?
Yes (kind of). The extracted session cookie will be valid for up to 10 minutes from the time it is extracted. The attacker will be unable to maintain long-term access to the user's account. Still, the timeframe may be sufficient, for example, to exfiltrate the inbox if the attack is automated. The attacker cannot refresh the short-lived session cookie because it requires the private key (stored in the TPM) assigned to the account to sign the challenge. The malware cannot access the private keys stored in the TPM.
> Does DBSC prevent account takeover by threat actors during a phishing attack?
No. Servers need to provide legacy support for the browsers that do not yet support DBSC. By default, the server registers and sends a long-lived session cookie to the browser. If the server supports DBSC, it will announce the DBSC API endpoint URL in the `Secure-Session-Registration` HTTP header of the response packet that contains the long-lived session cookies.
Only after the short-lived session cookie is registered via the DBSC API endpoint is the long-lived session cookie invalidated.
When the attacker removes the `Secure-Session-Registration` HTTP header retrieved from the server during a phishing attack, the browser will continue using long-lived session cookies and assume the server does not support DBSC. In short, removing that HTTP header while proxying traffic during a phishing attack allows the attacker to maintain long-term access to the user's account using the stolen long-lived session cookie.
I hope I've managed to clear up some confusion.
On a related note, you will soon be able to simulate phishing attacks against Google Workspace accounts (and other websites) that bypass DBSC and MFA protections using Evilginx Pro with the Phishlets 2.0 update.
Everyone except me ? We are in fact still in court over this.
Somewhere a Meta product doc says the support agent has “account modification capabilities to better assist users.”
In other words it can hijack your Instagram and the only auth check is whether you typed a convincing sentence.
Can’t wait for their “cloud.”
If anything those conversations from *the last couple of days* have shown is that the bad experiences of vuln researchers with msrc have existed *for years*.
So Im not too confident things will change all of a sudden.
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.
To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.
We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.
Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.
The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.
@UID_ Er zijn dus echt mensen die dit nieuw voorgestelde stelsel een goed idee vinden 🤦
@0xTriboulet @_xpn_ Don’t believe all the twitter drama. Ac in household is way more common than all the engagement farming accounts want you to believe/rage about. Sure not as common as in the us, but its changing rapidly.
@checkymander There are some accounts on this platform you dont need to take too serious. 🤷
Til red team is dead/dying
It's only dying if your only skillset was blindly running scripts off github
I fear not the man who vibe coded 50 new apps, but the man who vibe coded one new app 50 times
There is a lot of discourse about Microsoft’s poor handling of working with the security research community, but I think it’s important to stress that they are not the only mega-corporation who has threatened security researchers with legal or personal threats.
Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point.
This Eclipse guy has really rocked the boat for Microsoft.
I don’t know who needs to hear this but your research is your IP not the vendors IP. You can do whatever you want with that IP. Reporting it, publishing it, selling it to a third party or putting it in a box under your bed 🙄
Last Seen Users on Sotwe
LewdPunch
Seen from Germany
Tangokaan Tangokaan
Seen from Turkey
Faris Khan
Seen from Saudi Arabia
幻想坊AI 
Seen from Singapore
คลั่งไคล้ สาวใหญ่.
Seen from Thailand
Brondong HOT SEX
Seen from Indonesia
Naimi奶咪
Seen from Vietnam
Luziaurlatina
Seen from Thailand
aşk adamı
Seen from Turkey
映秀子频道
Seen from Turkey
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers