My name is
, I am a Michele Spagnuolo Senior Information Security Engineer at
Google . Zürich, Switzerland
I was born in
Novara, Italy November 24, 1989. Computer Engineer ( Politecnico di Milano & UIC).
Knack for Web Security. Co-authored the CSP 3 W3C standard. Wrote Rosetta Flash and BitIodine.
Interested in cryptocurrencies, blockchain technology and fintech.
June 2018 - Presented at Defense-in-depth techniques for modern web applications CONFidence in Krakow.
May 2018 - Presented at Defense-in-depth techniques for modern web applications Hack In The Box: Amsterdam in Amsterdam and ScaleUp Porto Masterclass in Porto.
November 2017 - Guest of Gynvael's Hacking Livestream in Hacking Livestream #40: Cryptocurrency and blockchain.
November 2017 - Talked at TEDx Lake Como on the potential of block chain technology 🇮🇹 in Como, Italy.
May 2017 - Presented at So we broke all CSPs... You won't guess what happened next! OWASP AppSec EU in Belfast, Northern Ireland.
April 2017 - Presented at So we broke all CSPs... You won't guess what happened next! Hack In The Box: Amsterdam in Amsterdam and OWASP AppSec NZ in Auckland, New Zealand.
January 2017 - Presented Extracting knowledge from cryptocurrencies at Global Conference on Money Laundering and Digital Currencies in Doha, Qatar.
November 2016 - Presented Adopting Strict Content Security Policy for XSS Protection at IEEE SecDev in Boston, MA.
October 2016 - Presented at the
CSP is Dead, Long Live CSP: On the Insecurity of Whitelists and the Future of the Content Security Policy 23rd ACM Conference on Computer and Communications Security in Vienna.
June 2016 - Presented at Making CSP great again! OWASP AppSec EU in Rome. Also presented at Area41 in Zürich and at VOXXED Days in Lugano.
May 2016 - Presented at CSP Oddities Hack In The Box in Amsterdam.
May 2015 - Presented at Rosetta Flash OWASP AppSec EU in Amsterdam.
January 2015 - Presented at Rosetta Flash Tetcon in Saigon, Vietnam.
October 2014 - Presented at Rosetta Flash Hack In The Box: Malaysia in Kuala Lumpur, Malaysia.
July 2014 - Released details of Rosetta Flash, an exploit for manipulating SWF files in order to abuse JSONP endpoints on most high-profile websites (writeup: abusing JSONP with Rosetta Flash,
slides). Won an Internet Bug Bounty and got nominated for a Pwnie Award.
January 2014 - Featured in Opera Security Blog for finding a Local File Inclusion vulnerability on
January 2014 - Joined Google as an Information Security Engineer (ISE) in Zürich.
December 2013 - Graduated from - Laurea Magistrale in Computer Engineering (110L/110, with honors).
Politecnico di Milano
September 2013 - Featured in Shopify Security Hall of Fame.
August 2013 - Won a Google Security Reward for finding a vulnerability ( writeup).
July 2013 - Won a Google Security Reward for finding a critical vulnerability on
google.com main domain (
writeup). Featured on Google Security Hall of Fame (Reward) and on Mailchimp Security Hall of Fame.
June 2013 - Featured on Nokia Security Hall of Fame.
May 2013 - Graduated from - Master of Science in Computer Science (GPA 4.0/4.0).
University of Illinois at Chicago
February 2013 - Featured on eBay Responsible Disclosure Acknowledgements page.
July 2012 - Won a Google Security Reward for finding a Stored XSS vulnerability in GMail ( writeup). Featured on Google Security Hall of Fame (Reward).
December 2011 - Admitted to Alta Scuola Politecnica.
November 2011 - Featured on Google Security Hall of Fame (Honorable Mention) for discovering a vulnerability in Google Sites.
July 2011 - Graduated from Politecnico di Milano - Master of Science in Computer Engineering.
2008 - High school diploma ( Liceo scientifico PNI) - 100/100+. Awarded a merit-based scholarship and added to the national L INDIRE Registry of Excellence.
September 2007 - Become the youngest ( Offensive Security Certified Professional OSCP) at date, certificate holder ID: OS-101-02045. Projects & Businesses
BitIodine ( GitHub, paper) - Rust Bitcoin blockchain parser with clustering capabilities, allowing to group together addresses in ownership clusters. Please contact me if you are interested in using BitIodine for any real-world use case.
iPhone SMS Export - MacOS application to convert SMS and iMessages to CSV, HTML or PDF.
Trovatel - web application to perform direct and reverse Italian phone numbers lookups and export results.
FriendsGraph - with FriendsGraph, you can generate an interactive visualization of the connections between your Facebook friends. They are grouped in clusters, so that you can easily recall times, places and... memories.
, buffer overflow in CVE-2014-4500 libicu.
, in CVE-2014-4671 Adobe Flash. Writeup: abusing JSONP with Rosetta Flash.
, in CVE-2014-5333 Adobe Flash. Writeup: Adobe fixed Rosetta Flash today.
and CVE-2014-8962 , in CVE-2014-9028 libFLAC.
oCERT advisory #2014-008.
, in CVE-2014-8964 PCRE ( bug).
, in CVE-2014-8145 sox. oCERT advisory #2014-010.
, CVE-2014-8139 and CVE-2014-8140 , in CVE-2014-8141 unzip. oCERT advisory #2014-011.
, in CVE-2015-3042 Adobe Flash. Adobe Security Bulletin.
, in CVE-2016-4167 Adobe DNG SDK. Adobe Security Bulletin. GitHub
Senior Information Security Engineer at Google
(2014 - present) BitIodine
(2013 - present)
Rust Bitcoin blockchain parser with clustering capabilities. Trovatel 2.0
(2013 - 2017)
Direct and reverse phone numbers lookups and export. FriendsGraph
(late 2012 - 2014)
FB app to generate interactive visualizations of friends. iPhoneSMSExport
(2009 - 2018)
MacOS application to export and print iPhone messages. M.Sc. in Engineering of Computing Systems
@PoliMi / UIC / ASP (2011 - 2013) Computer Engineering @PoliMi
(2008 - 2011)
OSCP (2007) Trovatel
(2006 - 2008) Curiosity, perfectionism, openness and passion
(24 Nov 1989 - EOM)