Google Chrome silently installs a 4 GB AI model on your device without consent
Google Chrome is downloading a 4 GB Gemini Nano model onto users
This Week
DNSSEC disruption affecting .de domains – Resolved
Current system status. View active incidents or upcoming maintenance. Subscribe to receive status notifications.
US healthcare marketplaces shared citizenship and race data with ad tech giants
Virginia and Washington, D.C. paused the data collection and sharing, after Bloomberg's investigation found their health insurance marketplaces were sharing users' information with advertisers.
Security through obscurity is not bad
Why security through obscurity still matters: not as your only defence, but as a practical layer that raises attacker cost.
The text mode lie: why modern TUIs are a nightmare for accessibility
The mythical, it's text, so it's accessible There is a persistent misconception among sighted developers: if an application runs in a te...
A Systematic Exploration of Text Decomposition and Budget Distribution in Differentially Private Text Obfuscation
arXiv:2605.01065v1 Announce Type: new Abstract: The goal of differentially private text obfuscation is to obfuscate, or "perturb", input texts with Differential Privacy (DP) guarantees, such that the private output texts are quantifiably indistinguishable from the originals. While perturbation at the word level is intuitive, meaningful text privatization happens on complete documents. Recent research has laid the groundwork for reasoning about privacy budget distribution, namely, how an overall ...
CRC-Screen: Certified DNA-Synthesis Hazard Screening Under Taxonomic Shift
arXiv:2605.00074v1 Announce Type: new Abstract: DNA-synthesis providers screen incoming orders by searching the requested sequence against curated hazard lists. We show that this baseline collapses to a 100% false-flag rate when the hazardous sequence comes from a taxonomic family absent from the reference set: under Conformal Risk Control's certified miss-rate constraint, a low-discrimination signal forces the threshold below the entire test-benign mass. We compose three signals derived from a ...
Older
The FBI is late to cargo theft, the industry isn’t
The FBI is now warning about a surge in cargo theft tied to cybercriminals. The concern is valid. The timing is behind. For much of the freight industry, this is not new information. It is confirmation of a shift that has already taken hold. The change began around 2021. That is when fraud moved into the transaction itself. Loads were no longer being taken from yards or truck stops. They were being redirected before pickup ever happened. Identities were copied. Emails were manipulated. Legitimat...
Hiding Bluetooth Trackers in Mail
It was used to track a Dutch naval ship: Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in th...
FBI Extracts Deleted Signal Messages from iPhone Notification Database
404 Media reports (alternate site): The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database…. The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting ...
ICE Uses Graphite Spyware
ICE has admitted that it uses spyware from the Israeli company Graphite.
Risky Bulletin: Malicious LLM proxy routers found in the wild
Researchers find malicious LLM proxy routers, a fake Ledger crypto-wallet on the Mac App Store stole $10 million dollars, a ransomware crew leaks data from 38 law firms, and Google cracks down on back button hijacking. Show notes Risky Bulletin: Malicious LLM proxy routers found in the wild
Risky Bulletin: France takes first steps to ditch Windows for Linux
France prepares to ditch Windows for Linux, OpenAI was impacted by the Axios supply chain attack, Rockstar Games gets hacked again, and Adobe patches a reader zero-day. Show notes Risky Bulletin: France takes first steps to ditch Windows for Linux
How AI Assistants are Moving the Security Goalposts
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and nov...
Intego X9: Why your macOS antivirus should not trust PIDs
Introduction Today's post dives into a practical reverse engineering exercise focused on Intego (for macOS). We will first use static analysis with Ghidra to inspect how a privileged process exposes Mach services via XPC, so we know where to look before moving on to observing real runtime behavior. In the second part we will switch to dynamic analysis with Frida to observe how those Mach services behave under execution and to illustrate a class of Race Condition attacks (PID reuse attack using p...
Intego X9: When your macOS antivirus becomes your enemy
Author's note This article is part of a series of blog posts dedicated to identify vulnerabilities in third-party macOS applications. The goal is to document real-world flaws and explain the techniques used to discover and exploit them. Other examples of this series include our prior posts about ControlPlane, CCleaner, and Microsoft Teams: ControlPlane Local Privilege Escalation Vulnerability on macOS CCleaner Local Privilege Escalation Vulnerability on macOS Exploiting Microsoft Teams on macOS ...
Anti-DDoS Firm Heaped Attacks on Brazilian ISPs
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com....
‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty
A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors. Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the E...
Patch Tuesday, April 2026 Edition
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution. Redmond warns that attackers are already targeting CVE-2026-32201, ...
Russia Hacked Routers to Steal Microsoft Office Tokens
Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code. Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that we...
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskrimina...
‘CanisterWorm’ Springs Wiper Attack Targeting Iran
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language. Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP. In December 2025, the group began compromising corporate cloud environments using...
Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline. Image: Shutterstock,...
Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency. Based in Kalamazoo, Michigan, Stryker...
On the Effectiveness of Mutational Grammar Fuzzing
Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. In case of coverage-guided grammar fuzzing, if the resulting sample (after the mutation) triggers previously unseen code coverage, this sample is saved to the ...
A Deep Dive into the GetProcessHandleFromHwnd API
In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t know existed until I found a publicly disclosed UAC bypass using the Quick Assist UI Access application. This API looked interesting so I thought I should take a closer look. I typically start by reading the documentation for an API I don’t know about, assuming it’s documented at all. It can give you an idea of how long the API has existed as well as its security properties. The documentation’s remark...
Bypassing Administrator Protection by Abusing UI Access
In my last blog post I introduced the new Windows feature, Administrator Protection and how it aimed to create a secure boundary for UAC where one didn’t exist. I described one of the ways I was able to bypass the feature before it was released. In total I found 9 bypasses during my research that have now all been fixed. In this blog post I wanted to describe the root cause of 5 of those 9 issues, specifically the implementation of UI Access, how this has been a long standing problem with UAC th...
Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529
In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-54529) and a double-free vulnerability (CVE-2025-31235) in the coreaudiod system daemon through a process I call knowledge-driven fuzzing. While the first post focused on the process of finding the vulnerabilities, this post dives into the intricate process of exploiting the type confusion vulnerability. I’ll explain the technical details of...
Bypassing Windows Administrator Protection
A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary. This blog post will give a brief overview of the new feature, how it works and how it’s different from UAC. I’ll then describe some of the security research I undertook while it was in the insider previ...
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?
While our previous two blog posts provided technical recommendations for increasing the effort required by attackers to develop 0-click exploit chains, our experience finding, reporting and exploiting these vulnerabilities highlighted some broader issues in the Android ecosystem. This post describes the problems we encountered and recommendations for improvement. Audio Attack Surface The Dolby UDC is part of the 0-click attack surface of most Android devices because of audio transcription in the...
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
With the advent of a potential Dolby Unified Decoder RCE exploit, it seemed prudent to see what kind of Linux kernel drivers might be accessible from the resulting userland context, the mediacodec context. As per the AOSP documentation, the mediacodec SELinux context is intended to be a constrained (a.k.a sandboxed) context where non-secure software decoders are utilized. Nevertheless, using my DriverCartographer tool, I discovered an interesting device driver, /dev/bigwave that was accessible f...
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, au...
‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online
Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work. A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. Among those affected were a senior military officer responsib...
A New Study Shows How Ad-Based Technology is Used for Surveillance
Citizen Lab director Ron Deibert recently spoke with NPR’s Rob Schmitz on All Things Considered about the Lab’s new investigation of Webloc, a geolocation surveillance system that uses ad-based data to monitor people across the globe. Deibert explains how the internet ecosystem has been designed around personal data surveillance–collecting information on users that is sold to advertisers. Webloc enables governments to gain access to this information to track individuals. Experts are concerned wi...
Edmonton Police Trial AI Facial Recognition Bodycams
The Edmonton Police Service is trialing new bodycam facial recognition technology to identify what they have deemed “high-risk offenders.” Speaking to the CBC, senior research associate Kate Robertson says, “As someone who has been studying algorithmic policing technologies for nearly a decade, and [previously] a lawyer in Canada’s justice system, I have to say that this is likely the most high risk algorithmic surveillance program that I have observed to date in Canada.” Read the article The po...
The Hack That Exposed Syria’s Sweeping Security Failures
Senior researcher Noura Aljizawi spoke to WIRED about a hack that revealed Syria’s fragile cybersecurity. “We still do not know exactly what happened. Whether the accounts were directly hacked or accessed through weak or reused credentials, the conclusion is much the same: very poor digital security practices,” Aljizawi says. Read the article The post The Hack That Exposed Syria’s Sweeping Security Failures appeared first on The Citizen Lab.
Extending Ruzzy with LibAFL
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode. Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility. For these reasons, I set out to add LibAFL support to Ruzzy, our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing en...
Trailmark turns code into graphs
We’re open-sourcing Trailmark, a library that parses source code into a queryable call graph of functions, classes, call relationships, and semantic metadata, then exposes that graph through a Python API that Claude skills can call directly. Install it now: uv pip install trailmark “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert’s widely cited observation about network security applies just as well to AI-assisted software analysis. When...
We beat Google’s zero-knowledge proof of quantum cryptanalysis
Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrough, but rather the exploitation of multiple subtle memory safety and logic vulnerabilities in Google...
What we learned about TEE security from auditing WhatsApp's Private Inference
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit, conducted before launch, identified several vulnerabilities that compromised WhatsApp...
Simplifying MBA obfuscation with CoBRA
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA, an open-source tool that simplifies the full range of MBA expressions used in the wild. Point it at an obfusc...
Mutation testing for the agentic era
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerability, overlooked by coverage metrics, that would have allowed attackers to drain funds. Today, we’re...
Spotting issues in DeFi with dimensional analysis
Using dimensional analysis, you can categorically rule out a whole category of logic and arithmetic bugs that plague DeFi formulas. No code changes required, just better reasoning! One of the first lessons in physics is learning to think in terms of dimensions. Physicists can often spot a flawed formula in seconds just by checking whether the dimensions make sense. I once had a teacher who even kept a stamp that said “non-homogeneous formula” for that purpose (and it was used a lot on students’ ...
Six mistakes in ERC-4337 smart accounts
Account abstraction transforms fixed “private key can do anything” models into programmable systems that enable batching, recovery and spending limits, and flexible gas payment. But that programmability introduces risks: a single bug can be as catastrophic as leaking a private key. After auditing dozens of ERC‑4337 smart accounts, we’ve identified six vulnerability patterns that frequently appear. By the end of this post, you’ll be able to spot these issues and understand how to prevent them. Ho...
mquire: Linux memory forensics without external dependencies
If you’ve ever done Linux memory forensics, you know the frustration: without debug symbols that match the exact kernel version, you’re stuck. These symbols aren’t typically installed on production systems and must be sourced from external repositories, which quickly become outdated when systems receive updates. If you’ve ever tried to analyze a memory dump only to discover that no one has published symbols for that specific kernel build, you know the frustration. Today, we’re open-sourcing mqui...
Using threat modeling and prompt injection to audit Comet
Before launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information from Gmail by exploiting the browser’s AI assistant. The vulnerabilities we found reflect how AI agents behave when external content isn’t treated as untrusted input. We’ve distilled our findings into five recommendations that a...
Carelessness versus craftsmanship in cryptography
Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API, leading to a large number of key/IV reuse bugs. These bugs potentially affect thousands of downstream projects. When we shared one of these bugs with an affected vendor, strongSwan, the maintainer provided a model response for security vendors. The aes-js/pyaes maintainer, on the other hand, has taken a more… cavalier approach. Trail of Bits doesn’t usually make a point of publicly calling out spe...
Building cryptographic agility into Sigstore
Software signatures carry an invisible expiration date. The container image or firmware you sign today might be deployed for 20 years, but the cryptographic signature protecting it may become untrustworthy within 10 years. SHA-1 certificates become worthless, weak RSA keys are banned, and quantum computers may crack today’s elliptic curve cryptography. The question isn’t whether our current signatures will fail, but whether we’re prepared for when they do. Sigstore, an open-source ecosystem for ...
Lack of isolation in agentic browsers resurfaces old vulnerabilities
With browser-embedded AI agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks, which are functionally similar to cross-site scripting (XSS) and cross-site request forgery (CSRF), resurface decades-old patterns of vulnerabilities that the web security community spent years building effective defenses ...
Detect Go’s silent arithmetic bugs with go-panikint
Go’s arithmetic operations on standard integer types are silent by default, meaning overflows “wrap around” without panicking. This behavior has hidden an entire class of security vulnerabilities from fuzzing campaigns. Today we’re changing that by releasing go-panikint, a modified Go compiler that turns silent integer overflows into explicit panics. We used it to find a live integer overflow in the Cosmos SDK’s RPC pagination logic, showing how this approach eliminates a major blind spot for an...