This is why we can't have nice things...

Another great write-up from the elttam team. As always, it’s well explained, with enough details to understand both the issue and the process they followed to get there. I also like this one because it shows how something that looks “only” like user-controlled configuration can become a much bigger issue once it reaches Kubernetes and privileged execution paths. Jupyter Enterprise Gateway.

How much time do models need to create exploits for N-day vulnerabilities? A really interesting comparison of Anthropic models’ efficiency at building exploits for known vulnerabilities. Another signal, if you needed one, that your time-to-patch needs to shrink dramatically. Measuring LLMs’ impact on N-day exploits.

Some great content that reads like a course in application security: what was happening, why it was wrong, how to fix it, and the impact of the fix. I especially like the part where the sanitizer is called, but the sanitized output is not actually used. It’s such a good example of why code review is not about spotting the function name you want to see. You need to follow the data and check that the thing being validated or sanitized is the thing that gets stored or rendered. Bypassing a 3 layer SVG sanitizer: Stored XSS in Mozilla.

How much time and effort should you invest in a bug bounty target? This post gives a pretty good answer. It’s not just “use AI and bugs fall out”. It’s more about building a process around a hard target, mapping a huge attack surface, collecting the right inputs, and using AI to help scale parts of the work. A great write-up if you’re interested in how people find vulnerabilities in targets where the easy bugs disappeared a long time ago. Hacking Google with A.I. for $500,000.

Well, well, well, if it isn’t the consequences of your actions... After marketing Mythos as powerful enough to need special access and safeguards, Anthropic has now been asked to suspend access to Fable and Mythos for foreign nationals, including foreign-national Anthropic employees. They complied by blocking access to all customers. Any geopolitical AI expert probably had a busy weekend. Statement on the US government directive to suspend access to Fable 5 and Mythos 5.