Olivia
Online
@SecurityMB
Improving the world’s security at Google. Opinions are mine.
Zurich, Switzerland
Joined September 2014
284 Following
11.2K Followers
1.2K Posts
Pinned Tweet
Finally, my research is published. It has everything you might wish for in browser security: universal XSS, mutation XSS, CSS data exfiltration, and others. Check this out! In a few days, we'll also release a 30-minute presentation about this topic.
We are publishing the research of Copy&Paste issues in browsers by @SecurityMB. Over $30k in bounties for bugs in Chromium, Firefox, Safari, Google Docs, Gmail, TinyMCE, CKEditor, and others. Includes also 0-day in Froala.
https://t.co/O8i8DuO2qv
Have been working on agentic vulnerability discovery for a while now, happy to share about CodeMender! 🚀🚀
Anyone I know interested in joining the Google Security Team in Zurich? Let me know, I can give a referral :D
Here's the job posting: https://t.co/yH2iUotLGV
@sudhanshur705 @kevin_mizu Cool research and nice write up! Also thanks for the shout outs!
Side note: I’m actually planning to propose yet another spec change this year to try to kill even more mXSS-es so enjoy them while you can 😅
Who to follow
Frans Rosén
@fransrosen
Co-founder of @centrahq/@detectify/@poweredbyingrid. I do not advertise doing hacking services, do not trust the ones telling you I do.
publiclyDisclosed
@disclosedh1
This is an unofficial HackerOne public disclosure watcher who keeps you up to date about the recently disclosed bugs. By @NOBBD
Nicolas Grégoire
@Agarri_FR
Web hacker and Burp Suite Pro trainer
Refer to https://t.co/D5tRH7U2hg for trainings
Follow @MasteringBurp for free tips and tricks
That must be the worst captcha I’ve ever seen.
That was a nice bug, thanks for the shoutout!
2️⃣ XSS in GMail's AMP4Email via DOM Clobbering
Michał Bentkowski (@SecurityMB) exploited DOM clobbering to achieve XSS in Gmail's AMP4Email feature. Found that AMP4Email allowed id attributes, which could be leveraged to overwrite JavaScript variables and bypass Google's strict security filters.
https://t.co/7cqKL9oFjm
Why the "Agents Rule of Two" is flawed
https://t.co/GLVIcyFbEt
@gridogram I forgot to play gridogram yesterday. Is there an option to play yesterday's puzzle?
Cross-Site ETag Length Leak
https://t.co/RYofmHVh6T
I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)
@canva Ah, it's probably from the old leak: https://t.co/qnfXLTysB9
Has there been some email leak from @Canva? Just got a spam message for an email used only for Canva.
We launched a redesigned Project Zero website today at https://t.co/Prd8nehY7q !
To mark the occasion, we released some older posts that never quite made it out of drafts.
Enjoy!
Interested in the security of AI Agents 💁🛡️?
Then you've likely heard of "prompt injection", but do you know what "task injection" is? If you're curious, check out our latest post for a description and some real-world examples we discovered.
https://t.co/pWdDGX6M0W https://t.co/P8ndgCXtH1
my new blogpost is out!!
this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration
and i've already used it to get a google docs bounty ^^
have fun <3
https://t.co/PBct6aB24W
@sephr Exploiting https://t.co/X2PmY6dUQm
JavaScript’s lexer ambiguity in action. Might fool you and some weak parsers.
Demo: https://t.co/GgBx3zgE58
We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂!
https://t.co/9gGEqUuwIX
Rendering untrusted web content is fraught with security risks 🕸️ 🛡️.
Read how SafeContentFrame, a new TypeScript library, offers a robust solution for isolating web content and protecting against threats like XSS and side-channel attacks.
https://t.co/rthQelTW84
@RenwaX23 @kinugawamasato @Google In this case I fixed the bug myself, which anyone can do for Chromium 😀 there’s even a Patch bonus https://t.co/14l7COsRwi
@kinugawamasato The bug is now fixed!
@kinugawamasato So it's actually a bug in Chromium 😔
https://t.co/GIARys27TT
@matmul Not sure if it's widely used in the industry but Google's "Go style decisions" explicitly require such comments to start with the function name. https://t.co/YxHDKFZ91q
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers