Snow JS ❄️ is finally in MetaMask 🦊! With Snow, we now have full visibility into all same origin child realms within the MetaMask browser extension, which will be later used to protect those realms against misuse of any potential malicious entities.
Read more about the motivation behind the Snow-MetaMask integration 🎉
Couldn’t find a proper explanation on what realms are in JS so decided to come up with one myself. So, what is a realm in JS? I recommend you give this a read - this is a concept you should be familiar with to consider yourself someone who’s above average in understanding JS!
Excited to join MetaMask to work on high level js security initiatives such as LavaMoat.
As part of me joining the organization I am bringing with me 3 cutting edge libraries I invented and worked on for the past year, to help fight against the problem of unwanted code execution in the browser.
Read more about Securely 🔒, Snow ❄️ and Across ↔ to learn more about this effort!
My talk at OWASP App Sec conference of 2020 just got published on Youtube!
In this talk I present the WhatsApp vulnerability I exposed in the past and what is the lesson to learn for messaging apps in general when it comes to security
Introducing the official Awesome Javascript Anti Debugging which is the number one repo for resources regarding both old and new generation anti debugging techniques in the browser!
Following the first part of Javascript Anti Debugging, introducing the second part where I show how abusing the scope pane of Chromium’s devtools can allow an attacker tell which on their functions were debugged and take action when they do!
Covered by Forbes I expose a Full CSP Bypass in Chromium based browsers.
In this article I talk about the impacts of such vulnerability and how well CSP really serves us.
Javascript Anti Debugging (Part 1) got accepted to the Israeli In-Dev conference in Hebrew - check it out!
Javascript Anti Debugging (Part 1) got published on the Israeli Magazine “Digital Whisper” in Hebrew - check it out!
Technical details including exploit PoC and videos are uploaded to Github, check it out!
The discovery of CVE-2019-18426 blows up internationally due to its unique severity, including full coverage by Forbes Magazine!
After a long research, managed to expose a chain of critical flaws in WhatsApp Web App the ultimately could have allowed an attcker to read from the victim’s file system with a zero click exploit! Here’s the full research journy
Check out my new finding of a next level javascript anti debugging technique. I demonstrate how I abuse SourceMappingURL feature, which is cross browsers supported, to detect opening of a devtools and do much more then that.
Check out my next post on how to list every event possible in the browser and a graphical represantation I made to compare events support between different browsers
Check out my first post where I share some cool insights regarding end of life events in the browser and a cool javascript trick to easily debug them both