anthony weems

@[email protected]
192 Followers
47 Following
10 Posts
cloud vuln research @ google
websitehttps://lf.lc
githubhttps://github.com/amlweems
twitterhttps://twitter.com/amlweems
anthony weemsOct 4, 2024

Learn how Google CVR could have potentially exfiltrated Gemini 1.0 Pro before launch last year. We describe the vulnz, the fix, tips for bughunters, and how we found similar issues in another cloud provider with similar impact.

https://bughunters.google.com/blog/5679863572070400/protecting-large-language-models

Blog: Protecting Large Language Models

This blog post describes Google's approach to vulnerability research on our Cloud AI Platform, Vertex AI. We're sharing this so that external researchers can learn from our work and to help them discover new vulnerabilities.

anthony weemsJan 5, 2023
James KettleJan 4, 2023
We've just launched a new topic on bypassing SameSite cookie restrictions! Learn how to evade browsers' cookie defences and perform successful cross-site attacks with our interactive labs:
https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions
Bypassing SameSite cookie restrictions | Web Security Academy

SameSite is a browser security mechanism that determines when a website's cookies are included in requests originating from other websites. SameSite cookie ...

anthony weemsDec 1, 2022
Zack WhittakerNov 30, 2022

New: Google says Variston IT, a Barcelona-based spyware vendor, is behind an exploitation framework that exploited zero-day flaws in Chrome, Firefox and Windows Defender as far back as 2018.

My colleague @carlypage has more: https://techcrunch.com/2022/11/30/variston-spyware-chrome-firefox-windows/

TechCrunch is part of the Yahoo family of brands

anthony weemsNov 18, 2022
Show threadSebastian SchinzelNov 18, 2022
As a side node, we discovered a Vaudenay-style padding oracle against Google Hosted S/MIME. Concretely, Google’s SMTP server issued different error codes depending on whether it successfully decrypted an S/MIME mail or not. On average, this attack requires 128 query mails per byte to recover the plaintext an S/MIME mail. See Appendix A in the paper for the details.
Show threadanthony weemsNov 18, 2022
@gaz My main impression: the DOM Invader prototype pollution feature is almost too good. I click a button, I get an exploit. 😛
anthony weemsNov 10, 2022

Two fun #Kubernetes CVEs were published today!

CVE-2022-3294 [1] is a bypass for the node proxy restrictions (related to the TOCTOU found in CVE-2020-8562 [2].

CVE-2022-3162 [3] is a very cool authorization bug that was caused by URI path traversal in the etcd client.

[1] https://github.com/kubernetes/kubernetes/issues/113757
[2] https://github.com/kubernetes/kubernetes/issues/101493
[3] https://github.com/kubernetes/kubernetes/issues/113756

CVE-2022-3294: Node address isn't always verified when proxying · Issue #113757 · kubernetes/kubernetes

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clus...

GitHub
anthony weemsNov 10, 2022
James KettleNov 10, 2022

We've just launched a Web Security Academy topic on Client-side prototype pollution, with challenge labs designed by @gaz - enjoy!

https://portswigger.net/web-security/prototype-pollution

What is prototype pollution? | Web Security Academy

Prototype pollution is a JavaScript vulnerability that enables an attacker to add arbitrary properties to global object prototypes, which may then be ...

anthony weemsNov 10, 2022
James KettleNov 10, 2022
Accidental $70k Google Pixel
Lock Screen Bypass - love a good accidental vulnerability! https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
Accidental $70k Google Pixel Lock Screen Bypass

David Schütz's bug bounty writeups