Olivia
Online
Luan Herrera
@lbherrera_
Brazil
Joined February 2013
438 Following
3.3K Followers
617 Posts
Pinned Tweet
I began looking into browser security issues again in 2026 and while reviewing extension permission APIs, I noticed that the default declarativeNetRequest API (which only requires permission to block content on all pages) can be leveraged into a side-channel attack.
This permission ends up allowing an extension to infer the full URL of open tabs without requesting the chrome.tabs permission, and it can also leak the full URL of cross-origin redirects.
Unfortunately, fixing this issue has been deemed unrealistic by Chrome, and the risk has been accepted, so it is worth keeping this in mind when granting content-blocking permissions to browser extensions.
The complete public report can be found at https://t.co/CI8miz1lL4.
document.body.innerHTML = "&#x;"; console.log(document.body.innerHTML.length);
document.write("&#x;");
console.log(document.body.innerHTML.length);
🤔
Here we go. my DEF CON CTF writeup, a little different from the others. Also, thanks to Pwn de Queijo for letting me play with you guys.
https://t.co/6oQBZSKqoy
"Dad, what was it like playing CTFs before AI?"
Who to follow
terjanq
@terjanq
security enthusiast that loves hunting for bugs in the wild. co-founder and player of @justCatTheFish.
infosec at @google. opinions are mine.
Frans Rosén
@fransrosen
Co-founder of @centrahq/@detectify/@poweredbyingrid. I do not advertise doing hacking services, do not trust the ones telling you I do.
mohammed eldeeb
@malcolmx0x
Bug Bounty Hunter & security engineer
@caioluders Nos vemos no quals do ano que vem 😁
Posting a mini XSS challenge! Goal is to pop an alert. I believe this trick is not well known. Intended solution is chrome only. Thanks to @kevin_mizu for beta testing! Don't post solutions in the thread; DM only!
https://t.co/v5LXrs5ORk
Introducing Hacktron Review: an AI security reviewer for your pull requests.
It understands your whole codebase, builds a threat model, takes your feedback, and catches exploitable vulnerabilities before they reach production.
Try for free: https://t.co/ZHfG7cvXRe
[422531206][reward: $5000] Intersection Observer v2 API fails to correctly determine target's visibility for dynamically changed z-indexes, enabling clickjacking against Google One Tap
https://t.co/FrLze7NNRz
I pointed claude opus at chrome and told it to build a full v8 exploit for discord.
A week of back-and-forth pulling it out of dead ends. 2.3B tokens. $2,283 in API costs, and it popped a shell.
https://t.co/vwj9d33Bvq
new tool
PEGA-PEGA
Multi-protocol request logger and catcher. Listens on 14 protocols, logs every incoming request, and displays them in a web dashboard and terminal UI.
https://t.co/KyXkcubKK4
i built an entire x86 CPU emulator in CSS (no javascript)
you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS
🚨 CVE-2026-1731 🚨
Our team discovered a critical pre-auth RCE affecting BeyondTrust Remote Support & Privileged Remote Access.
SaaS/Cloud instances have been patched. If you're running self-hosted deployments, apply the patches immediately. More info in the comments.
[447172715][reward: $30000] Security: Compromised renderer can control mouse after single tap (UXSS, sandbox escape, and more)
https://t.co/dMRQiUwZpv
@RenwaX23 I feel you! My record is 2660 days 😆
Back on the Chrome VRP! 😁
Datr cookie theft and AI leading to Facebook account takeover ($24,000)
https://t.co/n2MVZKxDBg
Two-click Facebook account takeover via FXAuth ($30,000) https://t.co/MtuvFzGRsS
Self-XSS in Facebook payments flow leads to account takeovers ($62,500)
https://t.co/D7qXu1Avim
$312,500 worth of stored/reflected XSS vulnerabilities in Meta’s Conversions API Gateway allowed Javascript code to run on any Facebook domain and millions of third-party websites. The flaw enabled zero-click Facebook account takeover and more:
https://t.co/7gWpR4LQ8x
Last Seen Users on Sotwe
kaos perisi
Seen from Turkey
Daniel Sugarman
Seen from United Kingdom
F@ntastic porno 👅
Seen from Turkey
فحل يمني
Seen from Saudi Arabia
Θέκλα Παπαρίδου Κατά Συρροήν Δολοφόνος Χαρακτήρων
Seen from Greece
ChocolateNight
Seen from Thailand
CKY
Seen from Indonesia
ขี้เงี่ยนชอบเย็ดสาวใหญ่แม่หม้าย
Seen from Thailand
cuckold
Seen from Turkey
gandchudai
Seen from Indonesia
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers