I began looking into browser security issues again in 2026 and while reviewing extension permission APIs, I noticed that the default declarativeNetRequest API (which only requires permission to block content on all pages) can be leveraged into a side-channel attack. This permission ends up allowing an extension to infer the full URL of open tabs without requesting the chrome.tabs permission, and it can also leak the full URL of cross-origin redirects. Unfortunately, fixing this issue has been deemed unrealistic by Chrome, and the risk has been accepted, so it is worth keeping this in mind when granting content-blocking permissions to browser extensions. The complete public report can be found at issues.chromium.org/issues/4….

document.body.innerHTML = "&#x;"; console.log(document.body.innerHTML.length); document.write("&#x;"); console.log(document.body.innerHTML.length); 🤔

Here we go. my DEF CON CTF writeup, a little different from the others. Also, thanks to Pwn de Queijo for letting me play with you guys. davi1337.gitbook.io/public/d…

"Dad, what was it like playing CTFs before AI?"

Posting a mini XSS challenge! Goal is to pop an alert. I believe this trick is not well known. Intended solution is chrome only. Thanks to @kevin_mizu for beta testing! Don't post solutions in the thread; DM only! xss.hashkitten.io/xss1.html

The end of an era for @GoogleVRP! 😢

Introducing Hacktron Review: an AI security reviewer for your pull requests. It understands your whole codebase, builds a threat model, takes your feedback, and catches exploitable vulnerabilities before they reach production. Try for free: app.hacktron.ai

[422531206][reward: $5000] Intersection Observer v2 API fails to correctly determine target's visibility for dynamically changed z-indexes, enabling clickjacking against Google One Tap crbug.com/422531206

I pointed claude opus at chrome and told it to build a full v8 exploit for discord. A week of back-and-forth pulling it out of dead ends. 2.3B tokens. $2,283 in API costs, and it popped a shell. hacktron.ai/blog/i-let-claud…

new tool PEGA-PEGA Multi-protocol request logger and catcher. Listens on 14 protocols, logs every incoming request, and displays them in a web dashboard and terminal UI. github.com/caioluders/pega-p…

i built an entire x86 CPU emulator in CSS (no javascript) you can write programs in C, compile them to x86 machine code with GCC, and run them inside CSS

🚨 CVE-2026-1731 🚨 Our team discovered a critical pre-auth RCE affecting BeyondTrust Remote Support & Privileged Remote Access. SaaS/Cloud instances have been patched. If you're running self-hosted deployments, apply the patches immediately. More info in the comments.

[447172715][reward: $30000] Security: Compromised renderer can control mouse after single tap (UXSS, sandbox escape, and more) crbug.com/447172715

Back on the Chrome VRP! 😁

Datr cookie theft and AI leading to Facebook account takeover ($24,000) ysamm.com/uncategorized/2025… Two-click Facebook account takeover via FXAuth ($30,000) ysamm.com/uncategorized/2025… Self-XSS in Facebook payments flow leads to account takeovers ($62,500) ysamm.com/uncategorized/2025…

$312,500 worth of stored/reflected XSS vulnerabilities in Meta’s Conversions API Gateway allowed Javascript code to run on any Facebook domain and millions of third-party websites. The flaw enabled zero-click Facebook account takeover and more: ysamm.com/uncategorized/2025…

We've published a new blog post by RyotaK @ryotkak He discovered 8 methods to bypass safety mechanisms in Claude Code, leading to arbitrary command execution. We recommend updating to v1.0.93 or later to fix this vulnerability (CVE-2025-66032). flatt.tech/research/posts/pw…

Cross-Site ETag Length Leak blog.arkark.dev/2025/12/26/e… I just posted the author writeup for impossible-leak in SECCON CTF 14 Quals. As far as I know, this is a new XS-Leak technique! The ETag header can become a side channel :)

Could prediction markets like Polymarket/Kalshi be used to incentivize responsible disclosure of 0days? For example: "Will a critical Apache RCE be responsibly reported and patched in 2026?"