Holistic IT security research & consulting
Joined December 2020
- Tweets 32
- Following 0
- Followers 1,617
- Likes 4
6 Photos and videos
7 May 2025
We looked at the internals of JavaScript/TypeScript's most popular utility libraries and found interesting issues.
The post contains hacking challenges/live demos.
We recommend checking it out if you work with the affected libraries.
positive.security/blog/lodas…
1
1
2
244
10 Jan 2025
At #38c3, we presented our #BlinkenCity research, which started as a fun art project idea, and ended up as a plausible European #blackout scenario.
youtube.com/watch?v=DAf-T3bF…
Details: positive.security/blog/blink…
2
3
4
888
10 Jan 2025
The system is also used for street lamp control, allowing for a scaled-up “Project #Blinkenlights” art installation that transforms an entire city into a screen (for astronauts)
1
1
2
219
10 Jan 2025
The company operating this system has threatened us with lawsuits and (now publicly) denies the risk
128
29 Jun 2023
We leverage indirect prompt injection to trick Auto-GPT (GPT-4) into executing arbitrary code and discovered vulnerabilities that allow escaping its sandboxed execution environment.
positive.security/blog/auto-…
2
12
23
3,038
10 Jul 2023
The Auto-GPT team has now also published GitHub security advisories and reserved CVE numbers:
- github.com/Significant-Gravi…
- CVE-2023-37273, CVE-2023-37274, CVE-2023-37275
468
11 May 2023
Our article on DIY AirTags is now also available in German!
Zu finden im @MakeMagazinDE (1/2023) und @mac_and_i (2/2023)
1
556
10 May 2023
Fabian was interviewed (in German) by Deutschlandfunk about the new tracking protection standard by Google and Apple (featuring a "backdoor" near-owner bit)
deutschlandfunk.de/zwielicht…
2
455
26 Jan 2023
The popular Ruby library "Ransack" can be abused to exfiltrate sensitive data via character by character brute-force.
We compromised multiple applications this way and found hundreds more that could be vulnerable.
positive.security/blog/ransa…
8
18
2,770
16 Nov 2022
The latest @make magazine features an article of ours on "DIY #AirTags".
It contains:
- Brief explanation of the Find My protocol
- Introduction of @seemoolab's OpenHaystack
- Summary of our research (Send My & Find You)
- Example use cases for such (enhanced) DIY trackers
1
5
27
2 Nov 2022
urlscan.io leaks API keys, shared documents, password reset links, team invites, and other sensitive data.
We identified one culprit to be other security tools that accidentally make their scans public and put their users at risk.
positive.security/blog/urlsc…
2
84
280
16 Mar 2022
An unpatched vulnerability in the popular dompdf PHP library allows for remote code execution via a malicious font PHP polyglot file.
positive.security/blog/dompd…
6
179
481
16 Mar 2022
The exploit files and demo application are available here: github.com/positive-security…
8
8
21 Feb 2022
We built a stealth AirTag clone that is not detected by Apple’s tracking protection. It works by only sending one beacon per generated public key.
positive.security/blog/find-…
5
34
67
21 Feb 2022
The source code for the ESP32 firmware and macOS retrieval application used in our experiment can be found here: github.com/positive-security…
1
1
17
25 Jan 2022
We present a simple yet effective technique to get a high-resolution image from a pixelated video in order to recover redacted information (with no guessing involved)
positive.security/blog/video…
2
20
58
22 Dec 2021
Microsoft Teams: 1 feature, 4 vulnerabilities
We stumbled upon several vulnerabilities in Team's link preview feature, out of which MS only fixed one so far.
positive.security/blog/ms-te…
6
48
97
7 Dec 2021
New blog post: Windows 10 RCE via an argument injection in the ms-officecmd URI handler.
While our RCE vector (MS Teams) has been fixed, the argument injection still persists.
positive.security/blog/ms-of…
1
103
253