Chrome decided to derestrict an interesting bug from @jann from 7 years ago. Android applications with the READ_EXTERNAL_STORAGE permission were able to steal CSRF tokens by forcing the browser to save arbitrary web pages to disk and then read these files from the Downloads folder.

https://bugs.chromium.org/p/chromium/issues/detail?id=587956

Coincidentally, some 6 months later, Rob M and I paired the same bug with a SOP bypass at #Pwn2Own 2016 to exfiltrate Google Drive files and remotely install an APK via Google Play's web front-end.

https://downloads.immunityinc.com/infiltrate-archives/[Infiltrate]%20Geshev%20and%20Miller%20-%20Logic%20Bug%20Hunting%20in%20Chrome%20on%20Android.pdf

Hullo! It's me @munmap and you may remember me from such pretentious competitions as Mobile #Pwn2Own 2016, 2017, and 2018, as well as Desktop Pwn2Own 2018.
I even got a #Pwnie once for taking the piss with Samsung and chaining 12 second-rate bugs into a one-click APK install on their Galaxy S8. We may have also crossed paths at #SyScan, #Kiwicon, #Infiltrate, #ZeroNights, #ekoparty, #CanSecWest, etc.

I've been hacking (trying?) for over 10 years and I've been fascinated with #fuzzing, VR tooling, and general bug hunting for as long as I can remember.

I recently left (yet another) defence contractor and now I work for a small, tight-knit UK-based company called Interrupt Labs. We focus on VR and XD for a broad range of targets such as browsers, mobile platforms, embedded, automotive, and everything in between. :-)