Put.io API design issues - "I can haz your files"

Put.io, a popular torrent cloud storage service, has a very convenient API. Unfortunately, it allowed everybody to see your files and download history, and perform actions on your behalf.

Android Bitcoin wallets and PRNGs: a snapshot

A snapshot of the most common Android Bitcoin wallets' take on seeding PRNGs, and what went wrong with the Blockchain.info wallet.

The power of DNS rebinding: stealing WiFi passwords with a website

DNS rebinding is powerful: how to steal WiFi passwords by just tricking a victim into visiting a website, thanks to that fancy Bang & Olufsen speaker.

It’s just a game: a handful of scenarios in the Bitcoin world

A bird's-eye view on Bitcoin: likely future scenarios and a bit of game theory.

Adobe fixed Rosetta Flash today

Adobe pushed a complete fix for Rosetta Flash today.

Abusing JSONP with Rosetta Flash

Presenting Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints and do CSRF bypassing SOP.

Heartbleed walks into a bar...

Heartbleed walks into a bar...

XSS in Zagat, exploiting a XOR-based obfuscation algorithm

Here I present a XSS vulnerability I discovered in Zagat, part of Google, by exploiting a XOR-based obfuscation algorithm.

Mailbox.app Javascript execution

Mailbox.app executes Javascript in email bodies. Here is a demonstration of just something it can be done in iOS.

My experience with Google interviews and why it is different from Facebook

Here I write about my experience with Google interviews and why, in my opinion, it is very different from Facebook