Marco Squarcina

First wave of our team (me included) is on the way to @defcon.bsky.social #CTF. Huge thx to the companies and unis backing us, we're extremely grateful.

Special shoutout to @tuwien.at for the early support, as well as everyone who joined after.

We'll give our best, wish us luck!

See you Vegas 🌴🚩

Things were a bit different with Android this time, likely due to a functionality vs security trade-off that made it harder to address the issue in AOSP. Going forward, we'll continue reporting to Google but jointly disclose to GrapheneOS for any future Android-related issues.

Completely agree. For context on our disclosure policy: we usually report issues to upstream first so that other vendors or projects can automatically benefit from the fix. This process has worked well so far with browser vendors. The Chrome team in particular has always been extremely responsive.

By scanning the QR code you win a free color blindness test

I'm part of the team that discovered the #TapTrap vulnerability. We confirmed that @grapheneos.org has properly fixed it, as detailed on our site taptrap.click

Despite a small factual error, it's good to see #GrapheneOS getting some media attention.

foxnews.com/tech/new-and...

> GrapheneOS, a security-focused operating system based on Android, confirmed that its current version is also affected. However, it plans to release a fix in its next update.

No, we said that on July 7 and then shipped grapheneos.org/releases#202... fixing it.

Team Austria, 1st qualifier event.

ECSC 2025 prep has begun! First Team Austria qualifier wrapped up with 30 participants focusing on #ENOWARS and #DUCTF. Great vibes. Thanks to Ikarus Security for hosting us and everyone who joined! #ECSC2025 @tuwien.at @informatics.tuwien.ac.at @cysecwien.bsky.social

And shoutout to my girlfriend for lending a hand - literally - for the photo! 💅

Our #TapTrap attack got covered in @tuwien.at's news!

This was such a fun project. Congrats to @beerphilipp.bsky.social on his second first-author paper at a top-tier conference ❤️

We'll present the paper at #USENIX in Seattle on August 14 . Looking forward to catching up with some of you there!

Congrats to my co-lecturers @mautem.bsky.social, @matteomaffei.bsky.social, @wert310.bsky.social, Pedro Bernardo, @beerphilipp.bsky.social, Simon Jeanteur and our amazing tutors: this wouldn't be possible without you.

And thanks to all students for the great feedback and participation 🙏

Das sind die Best Teaching Award-Finalist_innen 2025 Die Jury hat entschieden, für wen die Eulenjagd weitergeht.

For the second year in a row, @tuwien.at students have nominated our Introduction to Security course among the finalists for the Best Teaching Award!

Balancing research, teaching & outreach isn't easy, but we give it our all.

🔗 www.tuwien.at/tu-wien/aktu...

CC @informatics.tuwien.ac.at

ublock origin lite works quite well on Chrome (but please people keep using Firefox)

This effort is the result of a collab w Sebastian Roth, @lindorfer.in and @beerphilipp.bsky.social who discovered the issue & did the heavy lifting. Thanks to @wwtf.at for making this research possible and supporting us ♥️

See you at #USENIX in Seattle next month!

@tuwien.at @cysecwien.bsky.social

It works on Android 15 & 16, while @grapheneos.org issued a fix. Major browsers such as Chrome and Firefox promptly patched after we disclosed the vulnerability. We analyzed ~100K Play Store apps finding that TapTrap is not currently being exploited in the wild.

Unlike classic tapjacking, TapTrap uses Android's built-in activity transition animations to launch a transparent activity on top of the attacker's app. The user thinks they're tapping a harmless button, but the tap goes to a permission/system prompt, a browser, or a sensitive app without notice.

Our new Android attack, #TapTrap, is getting media coverage — so here's a quick explainer.

It's a new tapjacking technique that exploits Android's UI animations to hijack user taps without requiring any permissions. @beerphilipp.bsky.social will present it at #USENIX Sec'25.

🌐 taptrap.click

It has been an honor to organize the bootcamp for 3 years in a row, and I am proud that it's getting better every time. Thanks to CSA, @cysecwien.bsky.social, ENISA, Joe Pichlmayer, Manuel Reinsperger and the entire team for making this possible.

See you all next year ♥️ #CYBER #ECSC2025

Help us choose our mascot! 🐾

Nautilus Institute is asking us to send them a animal mascot for the DEFCON CTF, and we need your help to pick the cutest contender!
Dive into the threat to meet the 8 adorable candidates.

#KuKHofhackerei #defcon33 #ctf #Mascot

KuK Hofhackerei - DEF CON 33 Sponsorship (Front)

KuK Hofhackerei - DEF CON 33 Sponsorship (Description)

KuK Hofhackerei - DEF CON 33 Sponsorship (Packages)

My team @kukhofhackerei.bsky.social is heading to the DEF CON CTF finals this August in Las Vegas 🔥

We're now looking for sponsors to help cover the trip. If you're interested in supporting us, please get in touch or share this around.

Call for sponsors at hofhackerei.at 🇦🇹

Thank you!

#CTF #DC33

After many years of battles with @mhackeroni.bsky.social, I'm blown away to announce that we've qualified for the #DEFCON CTF finals with KuK Hofhackerei 🇦🇹 this year!

New friends, same love. Couldn't be prouder of this team.

Thanks to nautilus.institute for organizing and see you in Vegas! 🚩

The 2nd wave of challenges for the Austria Cyber Security Challenge #ACSC will be live in 1h! You have 1 month left to compete and prove your skills!

I contributed a hard web challenge this time, let's see who can solve it 👀

Ready? 👉 acsc.land

@informatics.tuwien.ac.at @cysecwien.bsky.social

Best paper award ceremony at MADWeb 2025

And the best paper award sponsored by @paloaltonetworks.bsky.social goes to...

📜 Can Public IP Blocklists Explain Internet Radiation?

by D. Ravalico, S. Cossaro, R. Valentim, M. Trevisan, and I. Drago!

Congratulations 👏

#MADWeb #NDSSsymposium2025

Can't wait for Friday? Get a sneak peek at #MADWeb '25 papers now! 📄✨ All papers are live on our website: madweb.work

Safe travels, and see you in San Diego! ✈️
#NDSSsymposium2025

We're thrilled to announce Nick Nikiforakis (Stony Brook University) as our first keynote speaker of #MADWeb '25!

🎤 Building on Top of Shifting Sands: Web Security Through the Lens of Content Integrity

Don't miss it!

See the full program at madweb.work

Our 2nd Keynote is here! 🚨

We're excited to have Frederik Braun @freddyb.bsky.social (Mozilla) at #MADWeb '25!

🎤 With Carrots & Sticks: Can the Browser Handle Web Security?

Join us in San Diego to attend this session!

Full program: madweb.work#program

The #MADWeb '25 program is live!

We've got 9 full papers, 3 work-in-progress papers, and 2 exciting keynotes lined up. Huge thanks to all the authors and the program committee!

Check out the details and get ready for a great event! 🔥

🔗 madweb.work#program

See you in San Diego! #NDSS #websecurity

Top ten web hacking techniques of 2024: nominations open Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an

Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...

🚨 Deadline Extended 🚨

By popular demand, the #MADWeb submission deadline is now January 14, 2025 (AoE)! 🗓️

You still have 1 week to send your papers and join us in San Diego!

📜 Submit here: madweb25.hotcrp.com
🔗 Details: madweb.work

Spread the word!

#websec #cfp #ndss

Please consider submitting your work and help us spread the word! #MADWeb

Help us make this year's edition of #MADWeb the best one yet!

📅 Deadline: January 9, 2025 (AoE)
📜 Submit here: madweb25.hotcrp.com
🔗 Website: madweb.work

#CfP #websec #websecurity