Archive - Calif

A history of device-bound cookies

The recent announcement from Google about Device Bound Session Credentials (DBSC) sent me down memory lane.

Aug 24 •

“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development

Update: Mauro Soria pointed out that this attack vector can be easily adapted for phishing scenarios:

Aug 18

July 2025

Partnering with Google to Strengthen Open-Source Crypto: An Mbed TLS Security Audit

By Linh Le and Ngan Nguyen

Jul 5

April 2025

Oracle SSO, SOS

You've probably seen the news: Oracle Cloud got popped, exposing 6 million records from over 140,000 tenants.

Apr 8 •

March 2025

YouTube Threat Modeling

Last week, we delivered our first training session with YouTube engineers on the attacker's mindset and threat modeling.

Mar 25 •

January 2025

In Vietnam, we have three seasons: hot, hotter, and damn hot!

Jan 2 •

December 2024

CVE-2024-10382: Arbitrary code execution in Android Auto and various apps

In July 2024, Google engaged Calif to audit Android Automotive OS (AAOS) and Android Auto.

Dec 18, 2024 •

and

November 2024

What we do when we aren't hacking you

In my last year as a teenager, I worked as an IT assistant for Mr.

Nov 30, 2024 •

September 2024

Building new hospitals in Vietnam

Two years ago, when a close friend of the family (let's call him D) was sick, I took him to tour the hospitals in Saigon.

Sep 20, 2024 •

August 2024

Wormable Substack XSS

We found a stored Cross-Site Scripting (XSS) vulnerability in Substack.

Aug 12, 2024 •

July 2024

Type confusion attacks in ProseMirror editors

Jul 16, 2024 •

May 2024

Dissecting LockBit v3 ransomware

We analyzed a variant of LockBit v3 ransomware, and rediscovered a bug that allows us to decrypt some data without paying the ransom. We also found a…

May 2, 2024 •

,

, and

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts