Skip to main content


Bug bounty left over (and rant) Part III (Google and Twitter)

tl;dr in this blog post I am going to talk about some bug bounty left over with a little rant.

Here you can find bug bounty left over part I and II
Here you can find bug bounty rant part I and II
Introduction In one of my previous post I was saying that: 

"The rule #1 of any bug hunter... is to have a good RSS feed list."
Well well well allow me in this post to state rule #2 (IMHO)

"The rule #2 of any bug hunter is to DO NOT be to fussy with 'food' specifically with left over"

aka even if the most experience bug hunter was there (and it definitely was my case here, given the fact we are talking about no one less than filedescriptor) do not assume that all the vulnerabilities have been found! So if you want some examples here we go.
Part I - GoogleI have the privilege to receive from time to time Google Vulnerability Research Grant. One of the last I received had many target options to choose from, but one in particular caught my attention, namely Google Issue T…
Recent posts

Il (triste??) stato della crittografia (applicata) in Italia

Ho appena finito di scrivere a proposito dei miei 3 giorni trascorsi al Real World Crypto 2018 (il blog post per chi legge inglese e' qui) e mi sono accorto che non c'e' traccia di nessuna Universita' (ma anche azienda) italiana. Tutto cio' non puo' che rendermi un po' triste. L'Italia aveva una posizione di rilievo nell'"antica" crittografia. Non ci dimentichiamo dell'ormai super obsoleto (ma storicamente rilevante) Cifrario di Cesare per non parlare di volumi come "La crittografia diplomatica, militare e commerciale ossia l'arte di cifrare e decifrare le corrispondenze segrete" di Luigi conte Gioppi di T├╝rkheim!! L'Italia ha tutt'ora crittografi di primo livello, basti pensare a Silvio Micali co-inventore delle Zero Knowledge Proof e vincitore della massima onoreficienza nel campo dell'informatica cioe' il Turing Award. Ora, scusate il mio sfogo, ma considerando che RWC e' di gran lunga la conferenz…

Real World Crypto 2018 (RWC 2018) brain dump

The 2018 edition of Real World Crypto (RWC) was in Zurich (you can find the conference full program here.). I live in Switzerland so I was extremely happy about it. RWC is basically the best conference I ever attended and it will probably be so for a while. I almost risked to skip it due to flu but I eventually managed to attend :)

Current status: -1 to #realworldcrypto . Me sick in bed :( — Antonio Sanso @ RWC (@asanso) January 9, 2018 This short blog post is my brain dump of the event. If you want to know more you can find all the videos of the presentations in this youtube channel. The event lasted 3 days and every day was great. Event like this allowed me to meet personally many people I have interacted previously in a way or the other  and it turns out that a big percentage of people that do (applied) crypto was indeed attending. FWIW I was even able to shortly  ask to the great Prof Boneh about the now legendary Coursera Crypto II :D
Day I The first day could not start any bette…

How to try to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. Part II

tl;dr In the previous article of the same series we tried to predict the output of Micali-Schnorr Generator (MS-DRBG) knowing the factorization. In this blog post we continue the effort started in part I showing different strategies.  If you want to skip all my failures and go directly to the (in my humble opinion) most promising approach you can read directly the Solinas Prime and Generalized Mersenne Numbers section below.

If you actually wonder what is MS-DRBG and why I am trying to do it I'd suggest to go back and read the first article.
What I am NOT claiming in this post though is that there is a NSA's backdoor in the ANSI and ISO standards. Introduction and Failure #1 So let's start from were we actually finished the last post. We focused on an easier version of the problem directly extracted from the original Micali Schnorr paper

where the known output is up to 3/4 of the RSA computation and secret state is only 1/4 of the RSA computation.

Assuming we know the fac…

Slack SAML authentication bypass

tl;dr  I found a severe issue in the Slack's SAML implementation that allowed me to bypass the authentication. This has now been solved by Slack.
Introduction IMHO the rule #1 of any bug hunter (note I do not consider myself one of them since I do this really sporadically) is to have a good RSS feed list.  In the course of the last years I built a pretty decent one and I try to follow other security experts trying to "steal" some useful tricks. There are many experts in different fields of the security panorama and too many to quote them here (maybe another post). But one of the leading expert (that I follow) on SAML is by far Ioannis Kakavas. Indeed he was able in the last years to find serious vulnerability in the SAML implementation of Microsoft and Github. Usually I am more an "OAuth guy" but since both, SAML and OAuth, are nothing else that grandchildren of Kerberos learning SAML has been in my todo list for long time. The Github incident gave me the final…