New blog post: Windows 10 RCE via an argument injection in the ms-officecmd URI handler. While our RCE vector (MS Teams) has been fixed, the argument injection still persists. positive.security/blog/ms-office…

Microsoft Teams: 1 feature, 4 vulnerabilities We stumbled upon several vulnerabilities in Team's link preview feature, out of which MS only fixed one so far. positive.security/blog/ms-teams-…

We present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved) positive.security/blog/video-dep…

urlscan.io leaks API keys, shared documents, password reset links, team invites, and other sensitive data. We identified one culprit to be other security tools that accidentally make their scans public and put their users at risk. positive.security/blog/urlscan-d…

The latest Make: magazine features an article of ours on "DIY #AirTags". It contains: - Brief explanation of the Find My protocol - Introduction of @[email protected]'s OpenHaystack - Summary of our research (Send My & Find You) - Example use cases for such (enhanced) DIY trackers

The popular Ruby library "Ransack" can be abused to exfiltrate sensitive data via character by character brute-force. We compromised multiple applications this way and found hundreds more that could be vulnerable. positive.security/blog/ransack-d…

Fabian was interviewed (in German) by Deutschlandfunk about the new tracking protection standard by Google and Apple (featuring a "backdoor" near-owner bit) deutschlandfunk.de/zwielichtig-di…

Our article on DIY AirTags is now also available in German! Zu finden im Make Magazin (1/2023) und Mac & i (2/2023)

We looked at the internals of JavaScript/TypeScript's most popular utility libraries and found interesting issues. The post contains hacking challenges/live demos. We recommend checking it out if you work with the affected libraries. positive.security/blog/lodash-ra…