Improving the world’s security at Google. Opinions are mine.
Joined September 2014
- Tweets 1,206
- Following 284
- Followers 11,168
- Likes 920
87 Photos and videos
Pinned Tweet
15 Jun 2020
Finally, my research is published. It has everything you might wish for in browser security: universal XSS, mutation XSS, CSS data exfiltration, and others. Check this out! In a few days, we'll also release a 30-minute presentation about this topic.
15 Jun 2020
We are publishing the research of Copy&Paste issues in browsers by @SecurityMB. Over $30k in bounties for bugs in Chromium, Firefox, Safari, Google Docs, Gmail, TinyMCE, CKEditor, and others. Includes also 0-day in Froala.
research.securitum.com/the-c…
9
111
405
Have been working on agentic vulnerability discovery for a while now, happy to share about CodeMender! 🚀🚀
While AI is helping us tackle big challenges, it also poses new potential security risks. That’s why we’re focused on building tools that keep the broader ecosystem safe — like CodeMender, a code security agent that automatically finds and fixes critical software vulnerabilities.
Today, we’re inviting a select group of experts to test a new CodeMender API, and we’ll be launching it more broadly soon.
#GoogleIO
ALT Text reads "CodeMender" over an abstract pink and blue grid illustration.
1
4
54
7,186
Anyone I know interested in joining the Google Security Team in Zurich? Let me know, I can give a referral :D
Here's the job posting: google.com/about/careers/app…
12
36
225
29,599
That was a nice bug, thanks for the shoutout!
Jan 23
2️⃣ XSS in GMail's AMP4Email via DOM Clobbering
Michał Bentkowski (@SecurityMB) exploited DOM clobbering to achieve XSS in Gmail's AMP4Email feature. Found that AMP4Email allowed id attributes, which could be leveraged to overwrite JavaScript variables and bypass Google's strict security filters.
research.securitum.com/xss-i…
1
1
11
2,170
@securitymb@infosec.exchange retweeted
Jan 4
Why the "Agents Rule of Two" is flawed
shhnjk.substack.com/p/why-ag…
1
3
13
2,292
Cross-Site ETag Length Leak
blog.arkark.dev/2025/12/26/e…
I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)
4
100
357
42,985
19 Dec 2025
Has there been some email leak from @Canva? Just got a spam message for an email used only for Canva.
2
1
2
2,043
@securitymb@infosec.exchange retweeted
17 Dec 2025
We launched a redesigned Project Zero website today at projectzero.google !
To mark the occasion, we released some older posts that never quite made it out of drafts.
Enjoy!
7
62
365
46,354
@securitymb@infosec.exchange retweeted
11 Dec 2025
Interested in the security of AI Agents 💁🛡️?
Then you've likely heard of "prompt injection", but do you know what "task injection" is? If you're curious, check out our latest post for a description and some real-world examples we discovered.
bughunters.google.com/blog/4… bughunters.google.com/blog/4…
4
67
286
32,378
@securitymb@infosec.exchange retweeted
4 Dec 2025
my new blogpost is out!!
this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration
and i've already used it to get a google docs bounty ^^
have fun <3
lyra.horse/blog/2025/12/svg-…
20
78
434
39,887
@securitymb@infosec.exchange retweeted
28 Oct 2025
JavaScript’s lexer ambiguity in action. Might fool you and some weak parsers.
Demo: jsfiddle.net/yo0a24dj/
8
41
208
41,317
We published a blogpost about SafeContentFrame - a library for rendering untrusted content inside an iframe. The library is a big party of what I've been up to in the few last years! Check out the blog and take a slice of my birthday cake 🎂!
bughunters.google.com/blog/6…
6
52
197
18,124
@securitymb@infosec.exchange retweeted
18 Sep 2025
Rendering untrusted web content is fraught with security risks 🕸️ 🛡️.
Read how SafeContentFrame, a new TypeScript library, offers a robust solution for isolating web content and protecting against threats like XSS and side-channel attacks.
goo.gle/3K5DRQJ
3
18
101
8,388
@securitymb@infosec.exchange retweeted
24 Jul 2025
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com/
1/4
12
173
458
42,856
27 Jun 2025
Google CTF is on! Here's a challenge that I created:
capturetheflag.withgoogle.co….
Good luck 😀
26
149
13,224
12 Jun 2025
Here's my blog post about escaping `<>` in attributes and why it makes mXSS harder to exploit!
12 Jun 2025
🚨 Heads up for web devs! 🚨
The HTML spec just got an important update to protect against mutation XSS (mXSS). Find out how escaping < and > in attributes is making the web a safer place.
bughunters.google.com/blog/5…
1
18
89
10,154
15 May 2025
🔥 A new (more difficult) era for mXSS will come soon! If nothing breaks, Chromium will start escaping "<" and ">" in attributes starting with M138.
See chromestatus.com/feature/626… for details.
2
17
88
9,894
@securitymb@infosec.exchange retweeted
4 Dec 2024
Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲
Discover how Google's security teams turn employee farewells into security tests.
bughunters.google.com/blog/6…
1
31
108
26,908