Cure53 πŸ‡ͺπŸ‡Ί

@[email protected]
635 Followers
59 Following
152 Posts
And there is fire where we walk.
Websitehttps://cure53.de/
Githubhttps://github.com/cure53/
Keybasehttps://keybase.io/cure53/
Pronounsthey/them
Cure53 πŸ‡ͺπŸ‡Ί14h ago

In anticipation of possibly upcoming waves of OSS bugs as well maybe increasing amounts of real attacks, we have been busy hardening DOMPurify.

Look at those shiny badges and improvements, LOOK OMG 😱

https://github.com/cure53/dompurify?tab=readme-ov-file#dompurify

Work in progress of course, but lots got done this week πŸ’ͺ🏻

GitHub - cure53/DOMPurify: DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo: - cure53/DOMPurify

GitHub
Cure53 πŸ‡ͺπŸ‡Ί15h ago
Frederik Braun οΏ½15h ago

RE: https://infosec.exchange/@attackanddefense/116418875523198922

Q1 2026 was a very strong quarter for Firefox Security & Privacy.

some highlights:
- We expanded AI-assisted vulnerability discovery through our collaboration with Anthropic, helping identify and fix a high number of real security issues.
- We shipped the Sanitizer API in Firefox 148, making Firefox the first browser to support this stronger defense against XSS.

More in the newsletter linked below :)

Cure53 πŸ‡ͺπŸ‡Ί3d ago

Version 3.4.0 of DOMPurify was released today, addressing a large number of issues reported by LLMs and real people alike.

Thanks to all who contributed.

https://github.com/cure53/DOMPurify/releases/tag/3.4.0

We hope everything went smoothly and that no one was overlooked in the release notes.

Release DOMPurify 3.4.0 Β· cure53/DOMPurify

Most relevant changes: Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @kodareef5 Fixed several minor problems and typos regarding MathML attributes, thanks @DavidOliver Fixed A...

GitHub
Cure53 πŸ‡ͺπŸ‡Ί4d ago
joernchen 4d ago

LLMs now do the busywork of finding amazing vulnerabilities for everyone willing to spend the tokens.

But hacking still isn't dead:

  • We haven't at all solved the underlying problems which come with writing and shipping code.

  • You still need to understand what you're looking at and what you are operating.

  • The LLM platforms themselves are a exquisite target for hacking^Wcreative use of the technology.

    • Now when everyone can pull a CVE or two out of thin silicon and a few kWh of electricity the art of hacking might need adopt and maybe reshape a little but at its core the mind- and skillset will stay as relevant as it always was.

    In that sense: keep hacking, keep exploring, break some stuff.

    Cure53 πŸ‡ͺπŸ‡Ί5d ago
    Show threadChristoph5d ago

    @cure53 on the other hand, it does not seem to be Grok specific. Other models available also make the same claim that there is no verified evidence:

    GLM-5:

    https://kagi.com/assistant/c73a318d-8dde-4be1-84c0-1cfc4fbb83da

    Kimi 2.5 (although it states its cutoff date is early 2025, so that would make sense):

    https://kagi.com/assistant/8c914c4b-c78d-40d9-90cd-0860a42817a8

    Deep seek v3:

    https://kagi.com/assistant/9201074a-79b2-45e4-b5ee-529a990b7188

    So I don’t think that we can conclude that Grok was altered specifically.

    Elon Musk's Messages About Trump and Epstein Island - Kagi Assistant

    Better search results with no ads. Welcome to Kagi (pronounced kah-gee), a paid search engine that gives power back to the user.

    Cure53 πŸ‡ͺπŸ‡Ί5d ago
    Show threadChristoph5d ago

    @cure53

    I just used Grok 4.1 Fast via Kagi assistant to quickly check this:

    https://kagi.com/assistant/ab160f6d-a886-45ac-b104-ebbb43ec9f6e

    So it indeed says that the inflammatory messages are false rumors that have been debunked. It even claims that Donald Trump and Elon Musk are friendly, making this unlikely.

    But the messages have been reported by multiple news outlets, e.g.:

    https://abcnews.com/Politics/musk-appears-delete-posts-claiming-trump-epstein-files/story?id=122609304

    https://www.buzzfeed.com/alexalisitza/elon-musk-donald-trump-epstein-tweet

    Elon Musk's Messages About Trump and Epstein Island - Kagi Assistant

    Better search results with no ads. Welcome to Kagi (pronounced kah-gee), a paid search engine that gives power back to the user.

    Show threadCure53 πŸ‡ͺπŸ‡Ί5d ago
    And, asking from a broader perspective outside this specific scope, are there any other proven cases about LLM fine-tuning being used to alter rhe past and present and faux historical timelines?
    Cure53 πŸ‡ͺπŸ‡Ί5d ago

    Wondering if anyone has reliable info on the following and would like to share it.

    Grok, the LLM used by X, now seems to claim that E. Musk never sent any inflammatory messages on June 5 2025 about Trump's involvement on Epstein's Island. Which he probably did.

    We cannot fact-check this as we have, obviously, no X Premium account. But, if true, this should be a pretty huge issue, no?

    Cure53 πŸ‡ͺπŸ‡ΊApr 10

    Let's address the elephant in the room, shall we?

    Not a single bug was found by Mythos in Internet Explorer 11. Not a single one.

    To hell with Open Source, let's go proprietary closed source again and build a moat around our much valued IT assets and lock it all up.

    Who's laughing now, Anthropic?

    Cure53 πŸ‡ͺπŸ‡ΊApr 7
    Mark DominusApr 6
    In 1996, tired of squabbling between EU countries about whose favorite person or building should be on the EU banknotes, the currency commission held a competition for a new design: β€œThe ground rules for the design strictly prohibited displaying any recognizable national monuments or heroes that risked giving greater prominence to one country over another.” The winning design was a series of bridges that were stylistically typical of different kinds of European bridges, but which weren't any specific bridges. For example: