Olivia
Online
koto
@kkotowicz
security ninja wannabe
Mastodon: @[email protected]
Joined August 2007
388 Following
8.7K Followers
5.7K Posts
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
https://t.co/SgsSyxoEMR
1/4
@NahamSec @neophyte2k @Google I'll make sure we send the rationale today. We should have done it inline with the decision, I don't have any excuse why we didn't. It commonly happens that the VRP reward is smaller than expected or 0, but of course we need to explain why this is the case.
https://t.co/lyZNuUftQt
We're sending a HUGE thank you to our incredible community of bughunters ! 🙏 Your passion for finding vulnerabilities keeps our users safe 🔒 To show our appreciation, we awarded over $380,000 in bounties this week, including the largest reward ever given in Google VRP history!
Who to follow
Gareth Heyes \u2028
@garethheyes
JavaScript for hackers: Learn to think like a hacker. https://t.co/e0aNEbEDk5
James Kettle 
@albinowax
Director of Research at @PortSwigger aka @Burp_Suite. Find my research, tools & contact details at https://t.co/vP6UbGmvl3
Frans Rosén
@fransrosen
Co-founder of @centrahq/@detectify/@poweredbyingrid. I do not advertise doing hacking services, do not trust the ones telling you I do.
Co do jasnej cholery żeby nie napisać dosadniej.
Do you want to learn more about the various Vulnerability Reward Programs offered by Google? Or you're looking for inspiration? Check the video below in which @kkotowicz and @SecurityMB talk about Google VRPs!
https://t.co/RrVGOHM1TE
Pretty cool exploit chain with the redirects. The writeup is also excellent, and the "screenshots" being actually interactive? 🤯
Thanks a lot for the research, @rebane2001!
Love a good client-side exploit chain! This crazy cross-product chain targeting Google by @rebane2001 is a great example of the type of exploit that gets easier the longer you spend targeting a single company
https://t.co/mxhH2N7teW
If anyone is following the NEWAG vs Dragon Sector case, this article (in PL, but, well, 2024, google translate) is a really good read about the actual lawsuit and the first day of trial.
Second day of trial will be on Jan 15, so there's some time for sides to file more stuff.
XSS in Gmail is now $20k (or 50% more for exceptional quality report). Good thing we don't have XSSes anymore.... Or do we? :)
🚨💰 Google VRP Reward Update 💰🚨 Good news, we are significantly increasing the reward amounts offered by the Google VRP! Look out for up to 5x higher payouts and a maximum reward of $151,515! Details here:
https://t.co/gYRql7IRST
It's finally happened! NEWAG IP Management just sued us for copyright infringement and unfair competition.
Here's a symbolic picture of the lawsuit as a whole: Newag quoting q3k's own code as supposedly their IP :)
More: https://t.co/8rS20yv06O
So NEWAG (context: https://t.co/PV0gaKc4nx) finally filed a lawsuit against members of @DragonSectorCTF / SPS. It took them a few months from when they said they'll do it, and apparently there were some snafus with addresses, but here we are.
1/n🧵
@LinkedIn says no to DOM XSS by enforcing Trusted Types! Congratulations to @shafigullin for this achievement 🎉
@kkotowicz It took us a while but jQuery 4.0.0 beta is out now: https://t.co/aaV38BpRjr
Ever wondered how to increase your bug bounties 💸 ? Our latest blog post introduces our domain tiers security concept and how it is applied at Google, and includes a list of Google's highest sensitivity domains.
https://t.co/6zy8qCYK42
See how Google's security engineering team handles rollouts at scale, so we can safely enforce Strict CSP, Trusted Types and other security features on 100s new services yearly.
https://t.co/pMcX7UZRAg
Mozilla decides Trusted Types is a worthy security feature https://t.co/78oA6eiG0U
Mozilla has changed their standards position on Trusted Types to positive 🎉
2024 will be a bad year for DOM-based XSS.
https://t.co/My2EgTnVUS
A few deprecations shipped in Chrome 120.
Data URLs in SVG <use> is now blocked.
https://t.co/IuGEdL6C5A
CSP Embedded Enforcement's implicit opt-in for same-origin iframes is gone.
https://t.co/1kp0q62pmx
@jasvir @cramforce Criteria are listed in the article, e.g. > 45M monthly active end users from EU etc.
Last Seen Users on Sotwe
✨Jenna Penstar✨ (commission close)
Seen from United States
腹黑的X_Evilxart
Seen from Indonesia
Başar | 𐰉𐱁𐰺
Seen from United States
Phee Jameson
Seen from Switzerland
thismakesushorny
Seen from United States
🔱رئيسه جمهوريه تويتر ( السلطانه غزل البغداديه .🔱
Seen from Poland
Mn_CNX
Pesona Hijaabers
Seen from Indonesia
samisimou1998.
Seen from Algeria
Pepek aceh
Seen from Singapore
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers