I am a Staff Information Security Engineer at Google Zürich 🇨🇭. I currently lead the Agent & Web Observability area in the Information Security team, building infrastructure to maintain an inventory of AI agents across Alphabet and making the security properties of terabytes of daily web traffic queryable. This enables large-scale, data-driven security remediations and supports the deployment of modern web security features.
I co-authored 'strict-dynamic' in the CSP3 W3 specification, which now protects more than a third of the Internet's HTML traffic against Cross-Site Scripting (XSS). Internally, I built Security Signals, a comprehensive system providing security measurability across thousands of Google's web services handling traffic from billions of users, and I'm currently defining a common methodology for holistic product security measurability.
My other notable work includes Rosetta Flash, a Pwnie Awards-nominated exploitation technique that abused the Flash SWF format to bypass the Same Origin Policy, and BitIodine, the first open-source Bitcoin blockchain analysis framework, cited by hundreds of academic publications (~500 as of 2026). I also bring extensive technical experience in blockchains, serving as an expert witness in legal cases and advising fintech companies.
Born in Italy 🇮🇹, I studied computer engineering at Politecnico di Milano 🇮🇹 and UIC 🇺🇸. You can read more about my research and thoughts on my blog.
Deep expertise in modern web security primitives. Co-author of CSP3 'strict-dynamic',
protecting more than a third of the Internet's HTML traffic against XSS. Deep understanding of browser
internals and exploitation.
Designed, built and operated web observability infrastructure handling terabytes of traffic daily for services spanning billions of global users.
Led the deployment of web security features (CSP, Trusted Types, Fetch Metadata, COOP/COEP, etc.) across thousands of Google services, protecting billions of users.
Authored the technical strategy for building a metadata-rich inventory of the rapidly expanding ecosystem of AI Agents across Alphabet's infrastructure.
Proven track record of high-impact research, including the Pwnie-nominated Rosetta Flash exploit and numerous CVEs across major software products (Adobe, libFLAC, PCRE).
Expert in blockchain analysis and security. Author of BitIodine, the first open-source Bitcoin blockchain analysis framework, cited by hundreds of academic publications. Expert witness in legal cases and advisor to fintech companies.
opera.com.
google.com main domain (writeup). Featured on
Google Security Hall of Fame.
Draft on Google Research -
The area of security measurability is gaining increased attention, with a wide range of organizations calling for the development of scalable approaches for assessing the security of software systems and infrastructure. In this paper, we present our experience developing Security Signals, a comprehensive system providing security measurability for web services, deployed in a complex application ecosystem of thousands of web services handling traffic from billions of users. The system collects security-relevant information from production HTTP traffic at the reverse proxy layer, enabling large-scale security improvements to our services, prioritized rollouts of security enhancements, and an automated regression monitoring system for web security.
Presented at the 23rd ACM Conference on Computer and Communications Security in Vienna -
Content Security Policy is a web platform mechanism designed to mitigate cross-site scripting (XSS), the top security vulnerability in modern applications. In this paper, we take a closer look at the practical benefits of adopting CSP and identify significant flaws in real-world deployments that result in bypasses in 94.72% of all distinct policies.
We base our Internet-wide analysis on a search engine corpus of approximately 100 billion pages, finding that 14 out of the 15 domains most commonly whitelisted for loading scripts contain unsafe endpoints. As a consequence, 75.81% of distinct policies use script whitelists that allow attackers to bypass CSP.
Finally, we propose the 'strict-dynamic' keyword, an addition to the specification that facilitates the creation of policies based on cryptographic nonces, without relying on unsafe domain whitelists.
First presented at Hack In The Box: Kuala Lumpur -
In this paper we present Rosetta Flash (CVE-2014-4671, CVE-2014-5333), an exploitation technique that involves crafting charset-restricted Flash SWF files in order to abuse JSONP endpoints and allow Cross-Site Request Forgery (CSRF) attacks against domains hosting JSONP endpoints, bypassing Same Origin Policy.
With this attack it is possible to make a victim perform arbitrary requests to the domain with the JSONP endpoint and exfiltrate potentially sensitive data to an attacker-controlled site. Rosetta Flash was nominated for a Pwnie Award and won an Internet Bug Bounty by HackerOne.
Master thesis work - University of Illinois at Chicago - Politecnico di Milano
Bitcoin allows users to benefit from pseudonymity, by generating an arbitrary number of aliases (or addresses) to move funds. However, the complete history of all transactions ever performed in the network is public.
In this thesis we present a modular framework, BitIodine, which parses the blockchain, clusters addresses that are likely to belong to a same user or group of users, classifies such users and labels them, and visualizes complex information extracted from the network.
We tested BitIodine on several real-world use cases, finding early links between the founder of the Silk Road and cold wallets exceeding 111,114 BTC. In another example, we investigated the CryptoLocker ransomware, accurately quantifying the number of ransoms paid and extracting information about the victims.
Based on Using Parse Tree Validation to Prevent SQL Injection Attacks by Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti
An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input.
I wrote a simple Bison grammar for a subset of SQL and a lexer in Flex, then a PHP frontend that presents the user differences between parse trees of two queries: a reference query and a query to test.
Pwnie Award Nomination for Rosetta Flash — Best Client-Side Bug category.
Internet Bug Bounty by HackerOne for Rosetta Flash (CVE-2014-4671).
Google Security Hall of Fame — Multiple features for vulnerabilities in Gmail, Google Sites, and google.com.
Opera Security Blog — Featured for discovering a Local File Inclusion vulnerability.
Youngest OSCP holder — Obtained the Offensive Security Certified Professional certification at age 17.
If you want to send me unencrypted email, you can contact me at miki@miki.it. If you prefer GPG-encrypted email, please use my GPG key. If you want to send me an encrypted file, please use age with my ed25519 SSH key.