ALTV!ST

@[email protected]
1 Followers
23 Following
15 Posts
RE and bug hunting. Not affiliated with any franchise, brand, or organization. All opinions are mine.
Bloghttps://altvi.st
GitHubhttps://github.com/altvist
Mail[email protected]
Show threadALTV!ST20h ago

@Tutanota

  • Laptop/desktop + Linux + any de-googled Chromium-based browser
  • Pixel + GrapheneOS
  • Home server + Linux + NextCloud + Gitea + Jellyfin
  • Any cheap DeviceBridge compatible fitness tracker or just wear any cheap Casio (f91w is all time undead classic)
  • Email on Proton (consider it’s not e2ee)
Show threadALTV!ST4d ago

@aflplusplus Hmmmm... my case is

  • I'm in their Cyber Verification Program
  • I'm doing 100% defense research (RE of a malware APK caught into the wild)

    • Sonnet works just fine. Opus 4.8 (after a couple minutes): "API Error: Opus 4.8 has safety measures that flagged this message for a cybersecurity topic." Weird.

    Do you use a pay-monthly subscription or a pay-per-token API? Somebody told me the pay-per-token API has less restrictions.

    Show threadALTV!ST4d ago
    @fds2610 you’re right, but my typical research is re, without sources. In some cases (e.g. huge DFAs) AI saves a lot of time. Unfortunately #antrophic made Opus literally useless — too many restrictions, full ignorance of research context.
    ALTV!ST4d ago
    Using #claude for #cybersec tasks is a total pain. Their restrictions are dumb, they trigger even if I do 100% defensive research, e.g. RE of a malicious APK.
    Show threadALTV!STJun 18
    @aflplusplus was the documentation on github updated?
    Show threadALTV!STJun 15

    They closed the report. So, the timeline is https://altvi.st/a-bug-in-apple-audiotoolbox-that-leads-to-heap-oob-read/#timeline for now.

    Well, I should write a separate post and share my experience with the #apple #security #bounty program.

    A bug in Apple Audio Toolbox that leads to heap OOB read | ALTV!ST

    ALTV!STJun 14

    A random fun fact: iMelody is a mono beep-beep-beep ringtone format introduced by Sony Ericsson in early 00s. #apple CoreAudio on the newest macOS still contains iMelody parser, and the parser is vulnerable (OOB read) 🤷‍♂️ I even don't know if I should report it to Apple.

    #apple #vulnerability #ringtone #sonyericsson

    ALTV!STJun 14

    RE: https://infosec.exchange/@altvist/116710041220058870

    It’s hard to believe, but #apple reopened the #vulnerability report again after that post (writeup + poc) in my blog. So the report is in review for the third time. What a circus 🤦‍♂️

    ALTV!STJun 13

    RE: https://infosec.exchange/@altvist/116722279476392134

    Well, this is it https://altvi.st/a-bug-in-apple-audiotoolbox-that-leads-to-heap-oob-read/

    The PoC: https://github.com/altvist/apple-audio-toolbox-oob-read-poc

    #apple #vulnerability #blog

    ALTV!STJun 9

    I'm going to share a (non-weaponized) PoC + writeup for a couple bugs in AudioToolboxCore soon. Chained together, they lead to a heap OOB read. Not patched at the moment.

    #vulnerability #apple