Positive Security

The company operating this system has threatened us with lawsuits and (now publicly) denies the risk

The Auto-GPT team has now also published GitHub security advisories and reserved CVE numbers: - https://t.co/5kzHn4kvNs - CVE-2023-37273, CVE-2023-37274, CVE-2023-37275

We leverage indirect prompt injection to trick Auto-GPT (GPT-4) into executing arbitrary code and discovered vulnerabilities that allow escaping its sandboxed execution environment. https://t.co/mDSdss3xyn

Fabian was interviewed (in German) by Deutschlandfunk about the new tracking protection standard by Google and Apple (featuring a "backdoor" near-owner bit) https://t.co/EMOc6BY3GM

We built a stealth AirTag clone that is not detected by Apple’s tracking protection. It works by only sending one beacon per generated public key. https://t.co/nELjvrHpSl

The popular Ruby library "Ransack" can be abused to exfiltrate sensitive data via character by character brute-force. We compromised multiple applications this way and found hundreds more that could be vulnerable. https://t.co/95mOmCnyCh

https://t.co/BHlECaqa5h leaks API keys, shared documents, password reset links, team invites, and other sensitive data. We identified one culprit to be other security tools that accidentally make their scans public and put their users at risk. https://t.co/dnFWzjbm1V

The exploit files and demo application are available here: https://t.co/yobiscEmIP

An unpatched vulnerability in the popular dompdf PHP library allows for remote code execution via a malicious font+PHP polyglot file. https://t.co/sWGpRNofDe

We present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved) https://t.co/EQKDHT6Ech