During #39c3 Nadia Heninger introduced me to Keegan Ryan, and we talked about things that could go wrong in RSA, and how to detect keys with suspicious patterns created by defect RNGs. At some point, Keegan said: "You could check the Hamming Weight of the Modulus." And I replied: "I don't know what that means."
But it's actually quite simple. The Hamming Weight is the ratio of symbols, if we look at bits, how many 0s vs 1s are there. For a "proper", randomly generated RSA key, the ratio should be close to 0.5. If it's significantly different from that, it's likely not randomly generated.
We ended up finding some keys with repeating zero-byte patterns.It is possible to represent those as polynomials. Unlike integer numbers, polynomials can be factored efficiently, which means these keys can be broken.

We found SSH host keys that we could trace back to a software called CompleteFTP (which, furthermore, had another RSA vulnerability in its Linux version and also generated vulnerable DSA keys - all fixed in the latest version of CompleteFTP, but keys need to be regenerated). We furthermore identified another class of vulnerable keys (with a different width of zero byte patterns) in TLS certs (both self-signed and WebPKI-signed, but all expired, so no revocations), most of them from Verizon+Yahoo, but we were unable to identify the vulnerable RSA implementation.

If you're interested in the details of the attack, check Keegan's blog post:
https://blog.trailofbits.com/2026/06/12/factoring-short-sleeve-rsa-keys-with-polynomials/

The latest badkeys version 0.0.18 detects all affected vulnerable keys.

EXPLOITATION SESSION
Let's continue our program exploration by discovering the Exploitation Session content 🔥

- Rémi Matasse & Pierre Martin will expose deep details about the CVE-2025-54068 preauth RCE they found in Livewire & tooling they develop around it 💣
- Gal Zaban & Ido Shani will share with us two CVE found in Chainlit, a framework helping building apps for conversational AI 💣
- Cassius Garat will expose a practitioner's field report of current Bitlocker bypass state of the art 🔐
- and Marius G. will propose a workshop to walk through the full attack chain of a real-world Fancy Bear (APT28/GRU) intrusion with all participants 🔬

🚨 Last step: book your free seat!

🎟️ Booking: https://pretix.eu/passthesalt/2026/
📑 Program: https://cfp.pass-the-salt.org/pts2026/schedule/
📅 Dates: June 30 > July 2, 2026
📍 Université Catholique de Lille, France: https://maps.app.goo.gl/XQfaqsNJmDtwiJ747
🌐 Website : https://2026.pass-the-salt.org/

THREAT INTEL SESSION
Let's close the week by giving exposure to our Threat Intel session 🔥

Our topnotch and seasoned speakers will provide you talks and workshops on bleeding edge topics of the field:

- State of the Art of Suricata on IOC by Eric LEBLOND (CTO, Stamus Networks) 🚀 : talk & workshop

- Private Key Leaks Detection using Certificates Transparency by Gaëtan Ferry and Guillaume Valadon 🔦

- Alexandre Dulaunoy will present GCVE, an initiative for Vulnerability Tracking for an Open Security Ecosystem 📣

- Raphaël Vinot & Quinn Norton will teach you how to improve your Web Forensics capabilities with Lookyloo & Lacus 💻️

- And last but not the least, Xavier Mertens 🇧🇪 & Teqagogo will expose their new research, PhishTrack, about credentials leaks reuse monitoring 🚀

🚨 Take your free(!) seat 🥰

🎟️ Booking: https://pretix.eu/passthesalt/2026/

📑 Program: https://cfp.pass-the-salt.org/pts2026/schedule/

📅 Dates: June 30 > July 2, 2026

📍 Université Catholique de Lille, France: https://maps.app.goo.gl/XQfaqsNJmDtwiJ747

🌐 Website : https://2026.pass-the-salt.org/

There's serious panic being caused by AI discovered vulnerabilities behind the scenes, where those finding them are basically using them as marketing. Automated vulnerability hype train again, basically.

A thread on a few of them.

CFP RESULTS
😍 The reviews have been done and the final meeting gaves its results on Monday evening.

🙏 We really want to THANK both our authors for the quality of their research and our reviewers for their hard work: 20+ reviews by reviewer in order to get an average number of 4 reviews per proposal.

🚀 We received 46 proposals. 22 talks and 7 workshops have been finally selected by the program committee. Notifications have been sent to all authors.

🗓 Next step: we are currently working on the program which will be published next week and we bet you are going to LOVE it 🔥

I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

Does anyone have a contact at pwn.ai?

We would kinda like to have a conversation with them...

34% surge in new secrets detected in public GitHub commits in 2025 vs 2024 data.

The state of secrets sprawl is, unfortunately, not improving.

https://www.gitguardian.com/state-of-secrets-sprawl-report-2026

Still, proud to have worked on this report and glad we can share it with the world.