Positive Security

@[email protected]
218 Followers
0 Following
23 Posts
Holistic IT Security Research & Consulting
Websitehttps://positive.security
LocationBerlin
Positive SecurityMay 7, 2025

Vulnerabilities in the hidden magic of Lodash, Ramda and Underscore

We looked at the internals of JavaScript/TypeScript's most popular utility libraries and found interesting issues.
The post contains hacking challenges/live demos.
We recommend checking it out if you work with the affected libraries.

https://positive.security/blog/lodash-ramda-underscore-vulnerabilities

Vulnerabilities in the hidden magic of Lodash, Ramda and Underscore | Positive Security

We looked at the internals of JavaScript/TypeScript's most popular utility libraries and found interesting issues. The post contains hacking challenges/live demos. We recommend checking it out if you work with the affected libraries.

Positive SecurityJan 10, 2025

At #38c3, we presented our #BlinkenCity research, which started as a fun art project idea, and ended up as a plausible European #blackout scenario.

https://www.youtube.com/watch?v=DAf-T3bFJFs

Details: https://positive.security/blog/blinkencity-38c3

TL;DR: Some European countries use unencrypted and unauthenticated #longwave radio to steer parts of their renewable power, enough to potentially cause a Europe-wide blackout.

The control signals can be sent with just a #Flipper Zero over short distance, or via self-built transmitters over a long distance (e.g. using a kite to lift an antenna wire).

The system is also used for street lamp control, allowing for a scaled-up “Project #Blinkenlights” art installation that transforms an entire city into a screen (for astronauts).

The company operating this system has threatened us with lawsuits and (now publicly) denies the risk.

38C3 - BlinkenCity: Radio-Controlling Street Lamps and Power Plants

YouTube
Positive SecurityJan 7, 2025
The latest @make magazine features an article of ours on "DIY #AirTags".
It contains:
- Brief explanation of the Find My protocol
- Introduction of @seemoolab's OpenHaystack
- Summary of our research (Send My & Find You)
- Example use cases for such (enhanced) DIY trackers
Positive SecurityJan 7, 2025

We built a stealth AirTag clone that is not detected by Apple’s tracking protection. It works by only sending one beacon per generated public key.

https://positive.security/blog/find-you

The source code for the ESP32 firmware and macOS retrieval application used in our experiment can be found here:
https://github.com/positive-security/find-you

Find You: Building a stealth AirTag clone | Positive Security

We built an AirTag clone capable of silently and continuously tracking someone. The device accomplishes this by sending just one beacon per generated public key, thereby staying invisible to tracking notifications for iOS users and Apple’s Tracker Detect Android app.

Positive SecurityJan 7, 2025

We present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved)

https://positive.security/blog/video-depixelation

Recovering redacted information from pixelated videos | Positive Security

We explore the history of image unblurring and present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved).

Positive SecurityJan 7, 2025
Apple AirTags: Arbitrary data can be uploaded from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices:
https://positive.security/blog/send-my
Send My: Arbitrary data transmission via Apple's Find My network | Positive Security

Apple AirTags: Arbitrary data can be uploaded from non-internet-connected devices by sending Find My BLE broadcasts to nearby Apple devices. We're releasing an ESP32 firmware that turns the microcontroller into an (upload only) modem, and a macOS application to retrieve, decode and display the uploaded data.

Positive SecurityJan 7, 2025
Insecure URI handling leads to 1-click #RCE in many popular desktop applications: #Telegram #Nextcloud #VLC #LibreOffice #OpenOffice #Bitcoin #Dogecoin #Wireshark #Mumble
Check our post for more details:
https://positive.security/blog/url-open-rce
Allow arbitrary URLs, expect arbitrary code execution | Positive Security

Insecure URL handling leading to 1-click code execution vulnerabilities in Telegram, Nextcloud (CVE-2021-22879), VLC, LibreOffice (CVE-2021-25631), OpenOffice (CVE-2021-30245), Bitcoin/Dogecoin Wallets, Wireshark (CVE-2021-22191) and Mumble (CVE-2021-27229).