Glowing review from Cresta: Calif left no stone unturned and numerous attacks surfaced over multiple weeks. After three weeks of unsuccessful attempts, an initial foothold was gained by determining a password used in the staging environment. cresta.com/blog/security-…

If you use cert-manager.io in AWS EKS, be aware of a privesc vector that leads to full cluster compromise. We recommend revoking pod creation permission and switching to domain verification using DNS. See the update at the end of this blog post: blog.calif.io/p/privilege-es…

A little good news to share! And we're still hiring: * Offensive Security Engineer: offsec.calif.io * Software Engineer: docs.google.com/document/d/1CK…

Slides of our talk at AI Day 2023 on improving AI safety with red teaming: drive.google.com/file/d/1hfxDzA… These fascinating topics are new to us. What we knew came from helping AI clients red-team and defend their products and infra. Hope to learn more from everyone! CC lcamtuf

New blog post: in a recent engagement, we turned a simple XSRF in Argo CD to a shell with cluster admin privileges. No fix is available. We recommend hosting Argo CD on an isolated domain. Details: blog.calif.io/p/argo-cd-csrf

We recently worked with Calif to put our commitment to security to the test. See the results and learn why cybersecurity is one of today’s top competitive advantages! cresta.com/blog/security-…

We express our gratitude to the sponsors: VNG Security Response Center , Verichains , Calif, Binary Ninja(Vector 35 ) and other anonymous supporters who contributed to TetCTF2024. See You In TetCTF 2025, Happy New Year 🥰 ctf.hackemall.live/final.html

Our founder went to the White House meeting the National Security Council to discuss cybersecurity for Vietnam. Report: blog.calif.io/p/a-trip-to-th…

I really can't believe how the 14yo me was able write a kernel exploit

Microsoft Exchange 2010 Arbitrary User Impersonation blog.calif.io/p/microsoft-ex…

Ransomware response strategy blog.calif.io/p/ransomware-r…

While in Tokyo, we witnessed a very sad event: the last meetup of the Flat Earth Society.

We analyzed a LockBit v3 variant, and rediscovered a bug that allows us to decrypt some data without paying the ransom. We also found a design flaw that may cause permanent data loss. This is a joint work with Chuong Dong. Enjoy! blog.calif.io/p/dissecting-l…

Type confusion attacks in ProseMirror editors blog.calif.io/p/type-confusi…

Wormable Substack XSS: blog.calif.io/p/wormable-sub… It must have been years since the last time a wormable XSS was found in a major social media website. This beautiful type confusion XSS attack vector is a gift that keeps on giving. But most of all, samy kamkar is our hero!

This is one of my favorite bugs so far. WYSIWYG editors have become quite complex these days, especially with the addition of block-based editing and collaboration features. This complexity is often overlooked because many people are hesitant to dive into JavaScript code.

What we do when we aren't hacking you open.substack.com/pub/calif/p/wh…

CVE-2024-10382: Arbitrary code execution in Android Auto and various apps open.substack.com/pub/calif/p/cv…

It’s a simple deserialization bug but the most interesting is finding the gadget and exploiting it to pop shell.

Oracle SSO, SOS blog.calif.io/p/oracle-sso-s…