You know I had to do it Bad Apple but it's a PDF

Ange just casually playing Tetris in a PDF

We played with JavaScript in PDFs: API difference, text or hex literals or indirect objects. Triggers on document opening or closing, on page displaying, in XFA (AcroForms). And also some Javascript PDF games such as Breakout, Tetris, and their tricks! youtube.com/live/xZPK04a5l…

Hey cool, my PDF.js exploit made it to this list, thanks!

Finally cleaned up and published my hacky "toolchain" for running custom code on vulnerable Verifone POS devices, enjoy: github.com/ThomasRinsma/v…

Just published the write-up of two bugs I found in LibreOffice, allowing remote exfiltration of file/env data and a semi-arbitrary file write. Also relevant for document conversion/preview usecases :) codeanlabs.com/blog/general/e…

Codean Labs' b0n0b0 and Doyensec's Aleandro discovered CVE-2025-32464, a heap-buffer overflow in HAProxy. Read our write-up here: codeanlabs.com/blog/research/…

b0n0b0 and I found a bug in OpenPGP.js that allowed an attacker to modify a valid signature's text, without access to the original signer's private key. In other words, proper impersonation/spoofing. PoC/write-up coming soon. github.com/openpgpjs/open…

InfoSec media has jumped on the story of a vulnerability found via the OpenPGP.js Bug Bounty program on YesWeHack ⠵ that allows attackers to spoof signature verification 🧵1/6

Here's the write-up for the OpenPGP.js signature spoofing bug which b0n0b0 and I found. The PoC is included at the end, where we demonstrate by spoofing a message by the Dutch government's Cyber Security Center ;) codeanlabs.com/blog/research/…

Currently at #WHY2025. If you're also here, let me know and we can meet up :)

The recording of my WHY2025 talk is up, see below. The PoC I showed will be in the digital release of Phrack Zine 72, coming soon :) media.ccc.de/v/why2025-226-…