My name is
, I am a Michele Spagnuolo Senior Information Security Engineer at
Google . Zürich, Switzerland
I was born in
Novara, Italy November 24, 1989. Computer Engineer ( Politecnico di Milano & UIC).
Knack for Web Security. Working on CSP. Wrote Rosetta Flash and BitIodine.
Google Security Hall of Fame x4, Twitter, Nokia, eBay, Opera, Tumblr, Mailchimp, Starbucks and Shopify.
May 2017 - Presented at So we broke all CSPs... You won't guess what happened next! OWASP AppSec EU in Belfast, Northern Ireland.
April 2017 - Presented at So we broke all CSPs... You won't guess what happened next! Hack In The Box: Amsterdam in Amsterdam and OWASP AppSec NZ in Auckland, New Zealand.
January 2017 - Presented Extracting knowledge from cryptocurrencies at Global Conference on Money Laundering and Digital Currencies in Doha, Qatar.
November 2016 - Presented Adopting Strict Content Security Policy for XSS Protection at IEEE SecDev in Boston, MA.
October 2016 - Presented at the
CSP is Dead, Long Live CSP: On the Insecurity of Whitelists and the Future of the Content Security Policy 23rd ACM Conference on Computer and Communications Security in Vienna.
June 2016 - Presented at Making CSP great again! OWASP AppSec EU in Rome. Also presented at Area41 in Zürich and at VOXXED Days in Lugano.
May 2016 - Presented at CSP Oddities Hack In The Box in Amsterdam.
May 2015 - Presented at Rosetta Flash OWASP AppSec EU in Amsterdam.
January 2015 - Presented at Rosetta Flash Tetcon in Saigon, Vietnam.
October 2014 - Presented at Rosetta Flash Hack In The Box: Malaysia in Kuala Lumpur, Malaysia.
July 2014 - Released details of Rosetta Flash, an exploit for manipulating SWF files in order to abuse JSONP endpoints on most high-profile websites (writeup: abusing JSONP with Rosetta Flash,
slides). Won an Internet Bug Bounty and got nominated for a Pwnie Award.
January 2014 - Featured in Opera Security Blog for finding a Local File Inclusion vulnerability on
January 2014 - Joined Google as an Information Security Engineer (ISE) in Zürich.
December 2013 - Graduated from - Laurea Magistrale in Computer Engineering (110L/110, with honors).
Politecnico di Milano
September 2013 - Featured in Shopify Security Hall of Fame.
August 2013 - Won a Google Security Reward for finding a vulnerability ( writeup).
July 2013 - Won a Google Security Reward for finding a critical vulnerability on
google.com main domain (
writeup). Featured on Google Security Hall of Fame (Reward) and on Mailchimp Security Hall of Fame.
June 2013 - Featured on Nokia Security Hall of Fame.
May 2013 - Graduated from - Master of Science in Computer Science (GPA 4.0/4.0).
University of Illinois at Chicago
February 2013 - Featured on eBay Responsible Disclosure Acknowledgements page.
July 2012 - Won a Google Security Reward for finding a Stored XSS vulnerability in GMail ( writeup). Featured on Google Security Hall of Fame (Reward).
December 2011 - Admitted to Alta Scuola Politecnica.
November 2011 - Featured on Google Security Hall of Fame (Honorable Mention) for discovering a vulnerability in Google Sites.
July 2011 - Graduated from Politecnico di Milano - Master of Science in Computer Engineering.
2008 - High school diploma ( Liceo scientifico PNI) - 100/100+. Awarded a merit-based scholarship and added to the national L INDIRE Registry of Excellence.
September 2007 - Become the youngest ( Offensive Security Certified Professional OSCP) at date, certificate holder ID: OS-101-02045. Projects & Businesses
- a framework for extracting knowledge from the Bitcoin network. BitIodine
- MacOS application to convert SMS and iMessages to CSV, HTML or PDF. iPhone SMS Export
- web application to perform direct and reverse Italian phone numbers lookups and export results. Trovatel
FriendsGraph - with FriendsGraph, you can generate an interactive visualization of the connections between your Facebook friends. They are grouped in clusters, so that you can easily recall times, places and... memories. ... and well, I also sell
solar eclipse glasses.
, buffer overflow in CVE-2014-4500 libicu.
, in CVE-2014-4671 Adobe Flash. Writeup: abusing JSONP with Rosetta Flash.
, in CVE-2014-5333 Adobe Flash. Writeup: Adobe fixed Rosetta Flash today.
and CVE-2014-8962 , in CVE-2014-9028 libFLAC.
oCERT advisory #2014-008.
, in CVE-2014-8964 PCRE ( bug).
, in CVE-2014-8145 sox. oCERT advisory #2014-010.
, CVE-2014-8139 and CVE-2014-8140 , in CVE-2014-8141 unzip. oCERT advisory #2014-011.
, in CVE-2015-3042 Adobe Flash. Adobe Security Bulletin.
, in CVE-2016-4167 Adobe DNG SDK. Adobe Security Bulletin. GitHub
Information Security Engineer at Google
(2014 - present) BitIodine
(2013 - present)
Extracting Intelligence from the Bitcoin network. Trovatel 2.0
(2013 - present)
Direct and reverse phone numbers lookups and export. FriendsGraph
(late 2012 - 2014)
FB app to generate interactive visualizations of friends. iPhoneSMSExport
(2009 - present)
MacOS application to convert SMS and iMessages to CSV, HTML or PDF. M.Sc. in Engineering of Computing Systems
@PoliMi / UIC / ASP (2011 - 2013) Computer Engineering @PoliMi
(2008 - 2011)
OSCP (2007) Trovatel
(2006 - 2008) Curiosity, perfectionism, openness and passion
(24 Nov 1989 - EOM)