My posts

Published on the Cloudflare blog. For years, we’ve written that CAPTCHAs drive us crazy. Humans give up on CAPTCHA puzzles approximately 15% of the time and, maddeningly, CAPTCHAs are significantly easier for bots to solve than they are for humans. We’ve spent the past three and a half years working to build a better experience for humans that’s just as effective at stopping bots. As of this month, we’ve finished replacing every CAPTCHA issued by Cloudflare with Turnstile, our new CAPTCHA replacement. Cloudflare will never issue another visual puzzle to anyone, for any reason. ...

Published on the Cloudflare blog. Today, we’re announcing the open beta of Turnstile, an invisible alternative to CAPTCHA. Anyone, anywhere on the Internet, who wants to replace CAPTCHA on their site will be able to call a simple API, without having to be a Cloudflare customer or sending traffic through the Cloudflare global network.

Published on the Cloudflare blog. Today we’re announcing Private Access Tokens, a completely invisible, private way to validate that real users are visiting your site. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data. This will eliminate nearly 100% of CAPTCHAs served to these users.

This article describes CVE-2020-26886, a local privilege escalation affecting Softaculous < 5.5.7, along with generic tips when facing spooky setuid PHP interpreters. This software is widely deployed with most panels (eg. cPanel, Plesk, DirectAdmin). ...

In this article we will showcase how we used a long forgotten binary to gain root access on the machine, as part of a bug bounty program. No kitties were harmed in the making of this article. ...

Last week, I’ve looked at various security features offered by macOS, how they are enabled, and especially if they can be enabled on binary files without creating .app bundles. Introduced in OS X 10.5, the quarantine is enabled with an extended flag attribute (xattr) added to downloaded files, assuming the application respects this convention. The flag used by macOS is com.apple.quarantine, and Gatekeeper relies on it to only verify files from untrusted origin. Yup, you read right - files coming from untrusted sources will bypass Gatekeeper if they don’t have this flag set. ...

Published on the Cloudflare blog. Yesterday, we celebrated the fifth anniversary of Project Galileo. More than 550 websites are part of this program, and they have something in common: each and every one of them has been subject to attacks in the last month.

Minecraft is a survival game published by Mojang, owned by Microsoft. When you start playing, you don’t have anything and you must break blocks ("mine") and build structures and craft objects to progress. While commonly called a “sandboxing game”, this vulnerability demonstrates that its security model wasn’t quite as contained. ...

USB devices have become ubiquitous in our digital infrastructure. From charging our devices to connecting peripherals, the Universal Serial Bus protocol has achieved what its name suggests - becoming truly universal. This ubiquity, combined with the protocol’s inherent trust model, creates a significant attack surface that modern enterprises must address. The challenge lies in balancing security with usability: while USB ports represent a clear security risk, they remain essential for daily operations. ...