Research Blog

Published blog posts from the team

Blog Posts


Hacking with Environment Variables

A look into how scripting language interpreters can execute arbitrary commands when supplied with malicious environment variables.


Are you winning if you're pinning?

This blog post takes a brief look at TLS and certificate pinning, the problem of trust in Certificate Authorities that pinning attempts to address, and discusses whether the lack of certificate pinning in a mobile application constitutes a vulnerability.


Ruby 2.x Universal RCE Deserialization Gadget Chain

This blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x.


Fuze Multi-Card Technology Security Review

Reviewing the security of the Fuze card device revealed no trust boundary between the card and the connecting device, which allowed complete access to the Fuze card's settings and stored credit-card information.