Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ

@AlesandroOrtiz@infosec.exchange
718 Followers
416 Following
1.8K Posts

Software Engineer. Security Researcher. Puerto Rican πŸ‡΅πŸ‡·. New Yorker. Bilingual. LG(B)TQ πŸ³οΈβ€πŸŒˆ. He/him.

Focused on browser research. Glad to collaborate.

Website: https://AlesandroOrtiz.com
(Header πŸ“·: roriv3ra on IG)

Websitehttps://AlesandroOrtiz.com
LocationQueens, NY / Puerto Rico
Infrequent Newsletterhttps://AlesandroOrtiz.com/subscribe
Twitter (unused)https://twitter.com/AlesandroOrtizR
Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ7h ago

Great research by @tuckner about Mellowtel, a company that sells bandwidth of extension users: https://secureannex.com/blog/mellow-drama/

It allows a surprising amount of functionality, including many which can be abused by bad actors. Mellowtel is also associated with other entities, such as Olostep and some self-developed extensions.

Mellow Drama: Turning Browsers Into Request Brokers

How the Mellowtel library transforms browser extensions into a distributed web scraping network, making nearly one million devices an unwitting bot army.

Secure Annex
Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ17h ago
Pepijn20h ago

I'm on the server floor of a "highly secure data center with 24/7/365 surveillance, direct access control and robust perimeter security".

An actual duck just walked by. πŸ¦†

The panic is absolutely glorious. I think this just became one of the highlights of my life.

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ1d ago
tuckner1d ago

Cursor is now using Open VSX to install code editor extensions from. You must understand the implications of this!

There has been an attack campaign happening for more than a month with extensions that install ScreenConnect.

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ4d ago

This week at Google bugSWAT/0x0g and DEF CON has been reinvigorating on so many levels.

Meeting so many incredible Latinx and queer people, meeting/reconnecting with some of the best hackers in the world, personally thanking many of them for inspiring me to do security research, and sharing our common struggles in infosec and personal lives has been incredibly healing. They're all so generous with their kindness and I feel so lucky to be in this community.

If I've talked to you this week for 5 mins or an hour, you're in this group and I'm so grateful to have crossed paths with you.

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆ5d ago
Jann Horn6d ago

I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

This post includes fun things like:

  • a nice semi-arbitrary read primitive combined with an annoying write primitive
  • slowing down usercopy without FUSE or userfaultfd
  • CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
  • a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
  • sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)
From Chrome renderer code exec to kernel with MSG_OOB

Posted by Jann Horn, Google Project Zero Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the...

Show threadAlesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆAug 5

I'm in Vegas for DEF CON and Google 0x0g this week. Hit me up if you want to chat about browser/web/extension security and privacy.

#defcon #defcon33 #browsersecurity #websecurity #infosec #bugbounty

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆAug 2
Kat MarchÑn 🐈Aug 2

Told y'all we were cooking.

Say hello to Conjured Ink ( https://conjured.ink ): an #IndieWeb-based, #decentralized ecosystem of shops networked together to resist the kind of nonsense Itch and Steam have been dealing with.

We're a collective designing and building the software needed for folks who aren't techies to basically self host without feeling like they're self-hosting. Because you shouldn't need to be a sysadmin to free yourself from this yoke.

Join us!

#ConjuredInk

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆAug 1
Graham Sutherland / PolynomialAug 1

do I know anyone who knows a bunch about Firebase auth?

I've got a target where I have full control over one of the domains in the "authorizedDomains" list reported by the identitytoolkit /v1/projects REST API.

the target supports a bunch of different authentication flows - Google, OIDC, password, some others.

what can I do with control over an "authorised domain"? the docs are frustratingly vague. I tried a bunch of stuff and nothing worked.

(no guess responses please)

#infosec #firebase

Alesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆJul 30
@xssfox Thought you'd enjoy this amazing remix: https://youtu.be/2-ic_LhWsrA
Crazy Frog Axel F but with MELBOURNE TRAM BELLS

YouTube
Show threadAlesandro Ortiz πŸ‡΅πŸ‡·πŸ³οΈβ€πŸŒˆJul 30

Verified: It is a really silly MOTW bypass accessible from browsers with certain preconditions. Any more details would probably give it away.

It's quite simple once preconditions are met and probably works down to Win 7 or thereabouts.

Chances are someone must have found this before. Now looking if it's documented online somewhere or if MSRC told someone else it's "not serviceable".