Prof. @KU_Leuven | Ex-Postdoc NYU | Network Security & Crypto | FragAttacks & KRACK | bsky.app/profile/vanhoefm.bs…
Joined February 2011
- Tweets 3,573
- Following 1,560
- Followers 14,378
- Likes 3,167
153 Photos and videos
Pinned Tweet
11 May 2021
I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at fragattacks.com
32
1,117
2,637
Mathy Vanhoef retweeted
‼️ UPDATE: It just doesn't stop: Almost 900 Arch Linux packages infected now.
lists.archlinux.org/archives…
🚨 BREAKING: More than 400 Arch Linux User Repository packages have been compromised with infostealer malware and a rootkit.
Attacker posed as a trusted maintainer and "adopted" orphaned packages.
Arch maintainers are purging infected packages now. Audit your AUR installs.
185
848
5,591
993,997
Mathy Vanhoef retweeted
Jun 4
This guy sucks. At my first Pwn2Own he asked me over and over if it was my first CVE. I said no but he kept insisting, in front of everyone, he’d never seen my name credited before. Turns out he was confusing me with another woman in infosec. In charge of security research engagement for MSRC btw
42
79
1,267
134,723
Jun 3
Interesting realization: any bash script can get your geolocation.
Here done using Wi-Fi trilateration on macOS by spawning a chrome browser.
I would assume the same thing is possible on Linux, probably even without spawning a browser.
Jun 2
1/
WHEREAMI: Built a Chrome-based geolocation red team tool (bash script😅).
whoami tells you who. whereami tells you where.
Living-Off-the-Land (#LOLbins), no new binaries, no permissions prompts.
Relevant for proximity based attacks, e.g. @Volexity's nearest neighbor
10
25
6,349
Mathy Vanhoef retweeted
Jun 2
For 19 years, GPS satellites have secretly broadcast a “numbers station” in their public signals. We decoded 12M messages: a 2011 flash where 31 of 32 satellites flipped in hours, “ghost” substrings repeating years apart, and a “TEXT” prefix spreading now. lsc-pagepro.mydigitalpublica…
46
357
2,097
404,764
Mathy Vanhoef retweeted
Jun 2
wifite2 as many are familiar with through WiFi penetrating testing and/or @kalilinux as a listed tool on the platform made it to a Netflix series 'Bloodhounds' not long ago and both myself and @derv82 appreciate the attention ☺️ wifite2 is open source and covers a range of 'tests
3
20
995
May 30
Vulnerabilities not being exploitable in a common configuration also happens often when I audit network code during research. The effort to report them, or describe them in a paper, was often not worth it. So these ‘vulnerabilities’ typically remained unpatched.
We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet).
The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments?
We asked Claude to download and analyze more than 4,000 nginx config files from GitHub.
The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published.
So don't worry about your nginx yet.
Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!
2
13
109
19,104
We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet).
The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments?
We asked Claude to download and analyze more than 4,000 nginx config files from GitHub.
The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published.
So don't worry about your nginx yet.
Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!
6
61
286
49,682
Mathy Vanhoef retweeted
May 26
Als een significant gedeelte van de bevolking géén kinderen heeft zullen zij die nog wel kinderen hebben (en investeren om die op te voeden) het niet OK blijven vinden dat de pensioenen van mensen mét en zonder kinderen gelijk blijven.
𝟲𝟬𝟬.𝟬𝟬𝟬€ kostet es, zwei Kinder großzuziehen (Direktkosten Verdienstausfall). Fast genau so viel bezieht ein kinderloser Mensch im Alter an Rente, Gesundheit und Pflege aus dem Umlagesystem.
Ein einseitiges Geschäft:
Eltern investieren, Kinderlose profitieren.
🧵
24
8
48
17,076
May 19
Nominate yourself to help review papers for USENIX Security 2027! sec-rms.com/submit-applicati… (or rms.swag.cispa.de/submit-app… ). Deadline: May 28, 2026.
We're looking for both senior and junior people. See Andrei Sabelfeld's LinkedIn post for more info: linkedin.com/feed/update/urn…
1
4
4
1,258
Mathy Vanhoef retweeted
May 18
There’s been some reporting that Meta contributed an unfathomable sum to promote age verification laws globally. This is broadly true, but actual situation is a bit more complex. Figured it was worth an update.
29
149
986
180,662
Pre-announcement of BIND 9 security issues scheduled for disclosure 20 May 2026
lists.isc.org/pipermail/bind…
1
30
44
8,126
[2]After our failed competition, we headed to Apple Store and bought the mbp m5 and spent less than half an hour to set it up and found a fixed offset is changed 1 bit on it, so we just change 1 bit on our exp and it worked with a 100% success rate. Yes just 1 bit change, 1 to 2.
Unfortunately, Tao Yan & Edouard Bochin of Palo Alto Networks could not get their exploit of Apple Safari – Renderer Only working within the time allotted. #Pwn2Own #P2OBerlin
14
38
569
103,541
Mathy Vanhoef retweeted
May 11
NDSS 2027 is looking for volunteers to join the Artifact Evaluation Committee.
If you care about reproducibility & open science, we would be glad to have you on board. All sorts of backgrounds welcome & no prior experience required.
Self-nominate here: forms.gle/3UydnaYP6vUChFZg6
2
4
520
Pwn2Own hit max capacity for the first time in history. We unfortunately couldn’t get in. We submit our research to vendors. Look to our blog for technical breakdowns coming soon!
#cybersecurity #0day #reverseengineering #exploitdev #infosec #xchglabs #pwn2own
1
12
118
24,554
Mathy Vanhoef retweeted
May 10
1
29
88
16,894
Mathy Vanhoef retweeted
Apr 26
🚨Nominations for the 2026 Pwnie Awards are now open!
Best bug? Worst Bug? Incredible research? Cataclysmic fuckups that knocked over half the internet?
You know who deserves a Pwnie this year! Let us know!
🏇🏇🏇🏇🏇
tally.so/r/441Aro
2
11
26
5,247
Mathy Vanhoef retweeted
May 1
Hey everyone. We’ve seen the discussions around Copy Fail (CVE-2026-31431) and the disclosure process. We appreciate the passion from distro maintainers, defenders, and the broader Linux community. This is a serious issue, and we want to share some context on our side in good faith. 🧵
16
82
535
106,926
Apr 23
Just presented AirSnitch at Black Hat Asia 2026!
The presentation covered how we could often bypass Wi-Fi client isolation in home and professional access points. This was an awesome collaboration with UC Riverside!
The slides and our NDSS'26 paper are linked below ⬇️
2
11
37
2,823
Apr 23
GitHub with our AirSnitch tool and a high-level explanation: github.com/vanhoefm/airsnitc…
Black Hat Asia slides: papers.mathyvanhoef.com/blac…
Corresponding NDSS'26 paper: papers.mathyvanhoef.com/ndss…
2
12
736