We are excited to announce the new Mobile VRP! We are looking for bughunters to help us find and fix vulnerabilities in our mobile applications. bughunters.google.com/about/rules/66…

'document.domain' will be immutable in Chrome 115. Thank you and congratulations to Mike West and his amazing team for making the web safer by deprecating legacy badness. It's great to see Chrome leading by example here. Hopefully others will follow. developer.chrome.com/blog/document-…

From June 1st 10:00 UTC to June 30th 10:00 UTC we will award a 75% bonus to any valid Gmail bug report. Get hacking!🤘 Rules: bughunters.google.com/about/rules/54…

One of the rougher edges of the platform that enables an xss vector is going away soon. This fixes xss many sites didnt ecen realize they had. Great body of work championed by Jun Kokatsu!

AI vs Mayonnaise

🥳 This will make using side-channel techniques such as Timing Attacks, XS-Leaks, and COSI harder!

Mastodon、RCEとXSSのセキュリティ修正があります。 それに関連してRubyの「sanitize」というgemのHTMLサニタイザーのバイパスも修正されています。 github.com/rgrove/sanitiz…

So I'm starting a Youtube Channel 😄 Join me today at 19:00 CEST (in other words: in three hours) when I'll talk about 10 highlights from my bug hunting career: youtube.com/watch?v=utz3SH…

A few deprecations shipped in Chrome 120. Data URLs in SVG <use> is now blocked. chromestatus.com/feature/512882… CSP Embedded Enforcement's implicit opt-in for same-origin iframes is gone. chromestatus.com/feature/509815…

Mozilla has changed their standards position on Trusted Types to positive 🎉 2024 will be a bad year for DOM-based XSS. github.com/mozilla/standa…

Mozilla decides Trusted Types is a worthy security feature dlvr.it/T0QwgP

See how Google's security engineering team handles rollouts at scale, so we can safely enforce Strict CSP, Trusted Types and other security features on 100s new services yearly. bughunters.google.com/blog/589651289…

Ever wondered how to increase your bug bounties 💸 ? Our latest blog post introduces our domain tiers security concept and how it is applied at Google, and includes a list of Google's highest sensitivity domains. bughunters.google.com/blog/456217538…

koto It took us a while but jQuery 4.0.0 beta is out now: blog.jquery.com/2024/02/06/jqu…

LinkedIn says no to DOM XSS by enforcing Trusted Types! Congratulations to Roman Shafigullin for this achievement 🎉

It's finally happened! NEWAG IP Management just sued us for copyright infringement and unfair competition. Here's a symbolic picture of the lawsuit as a whole: Newag quoting q3k's own code as supposedly their IP :) More: infosec.exchange/@q3k@hackerspa…

So NEWAG (context: media.ccc.de/v/37c3-12142-b…) finally filed a lawsuit against members of Dragon Sector / SPS. It took them a few months from when they said they'll do it, and apparently there were some snafus with addresses, but here we are. 1/n🧵

XSS in Gmail is now $20k (or 50% more for exceptional quality report). Good thing we don't have XSSes anymore.... Or do we? :)

If anyone is following the NEWAG vs Dragon Sector case, this article (in PL, but, well, 2024, google translate) is a really good read about the actual lawsuit and the first day of trial. Second day of trial will be on Jan 15, so there's some time for sides to file more stuff.

Pretty cool exploit chain with the redirects. The writeup is also excellent, and the "screenshots" being actually interactive? 🤯 Thanks a lot for the research, Rebane!