Below are a collection of the more interesting security investigations/issues I have worked on / discovered over the years (that have been made public) that did not scale out to be projects by themselves (like onionscan or evoting)

Obsidian - Malicious Websites can access internal Obsidian URIs - December 2022

This flaw allowed any websites dropped into an Obsidian Canvas to add/delete/modify any file in the loaded vault. Creation of files is limited to .md files, but editing includes .canvas files. Because open and new URIs auto-open files in Obsidian this allows a single corrupted website to effectively chain spawn multiple malicious URI processes.

  • Disclosure / PoC
  • Thunderbird Decryption Oracle - August/September 2022

    I recently disclosed several security and privacy vulnerabilities in Thunderbird. At worst these vulnerabilities can by exploited by an adversary with access to a collection of intercepted encrypted messages to trick Thunderbird into decrypting any given message and sending the resulting plaintext back to the adversary. This attack worked with Thunderbird default configuration, i.e. even when load remote resources are disabled

  • CVE-2022-3033 - Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
  • CVE-2022-3032 - Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
  • CVE-2022-45412 - Quoting from an HTML email with certain tags will trigger network requests and load remote content, regardless of a configuration to block remote contentA
  • PoC Writeup
  • Flaws in Smart Toys Marketed to Children - December 2017

    In 2017 I was contracted to conduct research into the security and privacy of connected toys for children.

  • A Cute Toy Just Brought a Hacker Into Your Home - New York Times
  • Assessment of the Privacy and Security of Smart Toys Marketed to Children (Redacted Version - Mirror)
  • Github - Profile Email Address not Validated - November 2015

  • Github Bug Bounty Page: Profile email address not validated

  • Home