Olivia
Online
L4ys
@_L4ys
Co-Founder of @TrapaSecurity and @PwnableTW
MSRC Top 100 / ZDI Platinum
Hunting bugs for fun
台灣
Joined January 2015
1.2K Following
4.4K Followers
2.5K Posts
Pinned Tweet
A bit late, but here's the talk I gave last year at CODE BLUE and HITCON, about the 20+ Trend Micro Apex One LPE that @0x000050 and I disclosed.
https://t.co/HhjD3gdVc3
Enhanced Insecurity Mode: 23 RCEs in Edge's "Safe" WebAssembly Interpreter
Microsoft's "safer" fallback when the WASM JIT is off? 23 paths to RCE in the interpreter itself. Slides now public — huge thanks to the OffensiveCon crew and everyone who came by.
@offensive_con
@terrynini38514 this is public now? we've been using it since we started playing DEF CON CTF back in 2014.
still couldn't beat PPP though.
Early this week, @brucedang and I had a meeting at Apple Park in Cupertino. While there, we also shared with Apple our latest vulnerability research report: the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE. It was laser printed, in honor of our hacker friends.
We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced. Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter.
This is the story of the exploit and our field trip. Full technical details will be shared after Apple fixes the vulnerabilities and attack path. Hopefully it won’t take our beloved company too long. We only budgeted one year of domain registration fees for this attack.
This is our strongest research yet, led by @justdionysus, @blacktop__ and @brucedang. It is really dope.
Full story: https://t.co/A4w6cJOAFa
Who to follow
sakura
@eternalsakura13
Lead Security Researcher @zellic_io. Top 3 Chrome VRP. Top 2 Facebook Whitehat. MSRC MVRs 9th. BlackHat Asia/USA & Zer0Con & OffensiveCon speaker.
starlabs
@starlabs_sg
A Singapore company that discovers vulnerabilities to help customers mitigate the risks of cyber attacks. Organisers of @offbyoneconf
Samuel Groß
@5aelo
Working on Project Zero, Big Sleep, and V8 Security. Personal account. Also @[email protected] and https://t.co/aVitnPjBie
Confirmed! Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. Full win! #Pwn2Own #P2OBerlin
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens https://t.co/iZZgVoKNd9
I've watched @orange_8361 work on this target for a long time, even during our trip to Antarctica.
A real hacker. Congratulations!
Amaze! Amaze! Amaze! @orange_8361 of DEVCORE Research Team was able to exploit Edge with a sandbox escape! If confirmed, we wins $175K. He's off to the disclosure room to explain how he did it. #Pwn2Own #P2OBerlin
XSS2RCE in Edge + Microsoft Store (2022). Forgotten Web APIs enabled RCE on any signed-in device; all now retired.
https://t.co/6EiM2Gc4Xw
Two more zerodays - https://t.co/kUgSQqq0s8
I feel the traditional "responsible disclosure" concept has been broken since its inception. you can argue that forcing everyone's hand by dropping (weaponized) bugs/exploits is reckless/harmful behavior or blablabla but I feel you have to keep in mind everyone's stakes/motivation in the game are different.
one thing I guess we can agree on: people sit on bugs/exploits all the time. sometimes because ZDI promises a big bag of money at the end of the rainbow that magically evaporates and sometimes because they don't want to disclose these things and use them tactfully for their own advantage/goals.
I've always felt forcing this acceleration will (hopefully) get the software landscape in better shape, faster. albeit in a messy way. the noise it creates however could be a good signal for people to get an idea of the overall security posture of a piece of software, as well as get a good idea of how a vendor handles disclosures that don't follow their made up fairytale non-enforceable policies. (that typically don't come with any kind of silver lining)
back then, you could be damn sure that another horde of teenagers grep'd the same src tree for memcpy and was probably also sitting on an exploit. today the same applies, anyone can out-slop you producing the next linux LPE after brad tweets out a commit ID
remember: as a researcher you don't own the vendor anything. you don't own the public anything either. if you did this work for free its yours to publish in whatever way suits your needs, agenda or overall quirkiness. :)
Static Devirtualization of Themida/CodeVirtualizer. The techniques in this article apply to pretty much every virtual machine obfuscator with minor modifications.
https://t.co/RMvPKcv3KB
Original Program & Devirtualized Output
https://t.co/R8hLk9ISRZ
0days doesn't seem cool enough anymore.
what should real hackers be doing now?
💥 Introducing "Dirty Frag"
A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail.
No race, no panic on failure, fully deterministic. ~9 years latent.
Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more.
Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation.
Details:
https://t.co/9nqku4svkY
my new idea: prompt2own
like pwn2own, but teams can only submit prompts
Our second blog post is out here: https://t.co/mUjTMFpVqN ! We managed to install arbitrary APKs on the Samsung Galaxy S25 from an app without install permissions. For this, @SachaKozma did most of the work, but it was great looking into Samsung's cloud gaming component with him
TAPOcalypse Now: Exploiting TP-Link Smart Devices From Anywhere https://t.co/uL6MSjMAVF
Details exploitation via LAN, through browser, and against the cloud account.
Some of the reported vulnerabilities are fixed, for others the vendor didn't provide a fix by embargo expiry.
Patch your Linux boxes!
https://t.co/VWOUDbLAn2 is a trivially exploitable logic bug in Linux, reachable on all major distros released in the last 9 years. A small, portable python script gets root on all platforms.
Found by the teams at @theori_io and @xint_official
More details below
https://t.co/9f6T96PvPX
🚨 BREAKING: Wiz Research discovered Remote Code Execution on https://t.co/SvN2lGsnbO with a single git push
The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯
Ghost Bits is a brilliant research: https://t.co/gA5vPZGWf0
Now you can reproduce CVE-2025-41242 in Vulhub, Spring/Jetty Path traversal caused by Ghost Bits: https://t.co/yWmAvEV3cW
This issue exists in spring-boot-starter-jetty <= 3.2.4 with zero configuration
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers