Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo [www.legitsecurity.com]
2025-05-24 23:48
tags:
ai
development
exploit
security
turtles
web
A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses. GitLab patched the issue, and we’ll walk you through the full attack chain — which demonstrates five vulnerabilities from the 2025 OWASP Top 10 for LLMs.
source: L
Minimal CSS-only blurry image placeholders
https://leanrada.com/notes/css-only-lqip/ [leanrada.com]
2025-05-16 20:19
tags:
graphics
html
turtles
web
Granted, it’s a very blurry placeholder especially in contrast to other leading solutions. But the point is that it’s minimal and non-invasive! No need for wrapper elements or attributes with long strings of data, or JavaScript at all.
What have we done?
source: trivium
Build your own ResponseWriter: safer HTTP in Go
https://anto.pt/articles/go-http-responsewriter [anto.pt]
2025-05-09 19:14
tags:
go
programming
web
Go’s http.ResponseWriter writes directly to the socket, which can lead to subtle bugs like forgetting to set a status code or accidentally modifying headers too late.
source: L
A Strange Phrase Keeps Turning Up in Scientific Papers, But Why?
https://www.sciencealert.com/a-strange-phrase-keeps-turning-up-in-scientific-papers-but-why [www.sciencealert.com]
2025-05-02 08:42
tags:
ai
factcheck
science
web
Earlier this year, scientists discovered a peculiar term appearing in published papers: “vegetative electron microscopy”. This phrase, which sounds technical but is actually nonsense, has become a “digital fossil” – an error preserved and reinforced in artificial intelligence (AI) systems that is nearly impossible to remove from our knowledge repositories.
source: HN
Apache ECharts
https://echarts.apache.org/en/index.html [echarts.apache.org]
2025-04-09 06:38
tags:
graphics
javascript
library
visualization
web
Apache ECharts provides more than 20 chart types available out of the box, along with a dozen components, and each of them can be arbitrarily combined to use.
source: HN
CVE-2024-9956 - PassKey Account Takeover in All Mobile Browsers
https://mastersplinter.work/research/passkey/ [mastersplinter.work]
2025-03-20 05:23
tags:
auth
browser
exploit
security
web
An attacker within bluetooth range is able to trigger navigation to a FIDO:/ URI from an attacker controlled page on a mobile browser, allowing them to initiate a legitimate PassKeys authentication intent which will be received on the attacker’s device. This results in the attacker being able to “phish” PassKeys credentials, completely breaking this assumption that PassKeys are impossible to phish.
source: HN
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/ [github.blog]
2025-03-15 19:37
tags:
auth
format
security
turtles
web
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, we’ll shed light on how these vulnerabilities that rely on a parser differential were uncovered.
As shown once again: relying on two different parsers in a security context can be tricky and error-prone.
source: HN
The Art of Dithering and Retro Shading for the Web
https://blog.maximeheckel.com/posts/the-art-of-dithering-and-retro-shading-web/ [blog.maximeheckel.com]
2025-02-03 19:47
tags:
gl
graphics
interactive
programming
visualization
web
I spent the past few months building my personal website from the ground up, finally taking the time to incorporate some 3D work to showcase my shader and WebGL skills. Throughout this work, I got to truly understand the crucial role that post-processing plays in making a scene actually look good, which brought some resolutions to long-term frustrations I had with my past React Three Fiber and shader projects where my vision wouldn’t materialize regardless of the amount of work and care I was putting into them.
Taking the time to build, combine, and experiment with custom post-processing effects gave me an additional creative outlet, and among the many types I got to iterate on, I always had a particular affection for the several “retro” effects I came up with. With subtle details such as dithering, color quantization, or pixelization/CRT RGB cells, they bring a pleasant contrast between the modern web landscape and a long-gone era of technology we 90s/early 2000s kids are sometime longing for.
source: HN
JavaScript Temporal is coming
https://developer.mozilla.org/en-US/blog/javascript-temporal-is-coming/ [developer.mozilla.org]
2025-01-30 20:14
tags:
browser
javascript
library
programming
update
web
Implementations of the new JavaScript Temporal object are starting to be shipped in experimental releases of browsers. This is big news for web developers because working with dates and times in JavaScript will be hugely simplified and modernized.
source: HN
Justified Text: Better Than Expected?
https://cloudfour.com/thinks/justified-text-better-than-expected/ [cloudfour.com]
2025-01-15 21:06
tags:
design
html
web
I was pleasantly surprised by the results in Chromium browsers at medium and large container widths. Hyphenation seems conservative and readable, yet there are no unsightly gaps or “rivers” between words. Safari and Firefox hyphenate a bit more frequently, but not distractingly so.
source: L
California’s “Protecting Our Kids from Social Media Addiction Act” Is Partially Unconstitutional… But Other Parts Are Green-Lighted – NetChoice v. Bonta
https://blog.ericgoldman.org/archives/2025/01/californias-protecting-our-kids-from-social-media-addiction-act-is-partially-unconstitutional-but-other-parts-are-green-lighted-netchoice-v-bonta.htm [blog.ericgoldman.org]
2025-01-07 08:24
tags:
policy
social
web
California SB 976, “Protecting Our Kids from Social Media Addiction Act,” is one of the multitudinous laws that pretextually claim to protect kids online. Like many such laws nowadays, it’s a gish-gallop compendium of online censorship ideas: Age authentication! Parental consent! Overrides of publishers’ editorial decisions! Mandatory transparency!
NetChoice made a variation of my argument, saying that age authentication always acts as a speed bump for readers accessing desired content. The court says that’s not so. The court notes that “many companies now collect extensive data about users’ activity throughout the internet that allow them to develop comprehensive profiles of each user for targeted advertising” and, mining that data, age authentication could “run in the background” without requiring any affirmative steps from readers to complete the authentication.
A Tour of WebAuthn
https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html [www.imperialviolet.org]
2025-01-03 08:29
tags:
auth
opsec
programming
security
web
My approach to running a link blog
https://simonwillison.net/2024/Dec/22/link-blog/ [simonwillison.net]
2025-01-03 07:48
tags:
links
social
web
I started running a basic link blog on this domain back in November 2003—publishing links (which I called “blogmarks”) with a title, URL, short snippet of commentary and a “via” link where appropriate. So far I’ve published 7,607 link blog posts and counting.
In April of this year I finally upgraded my link blog to support Markdown, allowing me to expand my link blog into something with a lot more room. The way I use my link blog has evolved substantially in the eight months since then. I’m going to describe the informal set of guidelines I’ve set myself for how I link blog, in the hope that it might encourage other people to give this a try themselves.
City In A Bottle – A 256 Byte Raycasting System
https://frankforce.com/city-in-a-bottle-a-256-byte-raycasting-system/ [frankforce.com]
2024-05-21 06:49
tags:
graphics
javascript
programming
web
A tiny raycasting engine and city generator that fits in a standalone 256 byte html file. In this post I will share all the secrets about how this magical program works.
source: HN
Development notes from xkcd's "Machine"
https://chromakode.com/post/xkcd-machine/ [chromakode.com]
2024-05-09 08:11
tags:
browser
development
gaming
programming
social
web
It’s a game we’d been dreaming of for years: a giant rube goldberg machine builder in the style of the classic Incredible Machine games, made of a patchwork of machines created by individual xkcd readers. For more details, check out Explain xkcd’s wonderful writeup.
source: HN
HTTP/2 CONTINUATION Flood: Technical Details
https://nowotarski.info/http2-continuation-flood-technical-details/ [nowotarski.info]
2024-04-04 23:35
tags:
networking
security
standard
web
Deep technical analysis of the CONTINUATION Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.
source: HN
Supercharge compression efficiency with shared dictionaries
https://developer.chrome.com/blog/shared-dictionary-compression [developer.chrome.com]
2024-03-06 18:50
tags:
browser
compression
development
web
Shared dictionaries can supplement Brotli and ZStandard compression to deliver substantially higher compression ratios for websites that frequently ship updated code, and can—in some cases—deliver 90% or better compression ratios. This post goes into more detail on how shared dictionaries work, and how you can register for the origin trials to use them for Brotli and ZStandard on your website.
source: HN
Bugs I’ve filed on browsers
https://nolanlawson.com/2024/03/03/bugs-ive-filed-on-browsers/ [nolanlawson.com]
2024-03-04 05:28
tags:
browser
bugfix
development
web
As such, I’ve filed a lot of bugs on browsers over the years. For whatever reason – stubbornness, frustration, some highfalutin sense of serving the web at large – I’ve made a habit of nagging browser vendors about whatever roadblock I’m hitting that day. And they often fix it! So I thought it might be interesting to do an analysis of the bugs I’ve filed on the major browser engines – Chromium, Firefox, and WebKit – over my roughly 10-year web development career.
source: HN
Bluesky Exploits
https://github.com/qwell/bsky-exploits [github.com]
2023-09-13 20:32
tags:
exploit
security
social
ux
web
web
I have discovered a number of security vulnerabilities in Bluesky and atproto. Each time I’ve found something new, I’ve chosen to report it to Bluesky at security@bsky.app, as requested at https://bsky.app/.well-known/security.txt, and provide them with details. Bluesky has responded to only one of these reports, one time, 4 days after submission, saying “We appreciate the report, and we’ll be taking a closer look at the issue.”. They did not follow up on that report and they have not responded to any of my other reports.
Smashing the state machine: the true potential of web race conditions
https://portswigger.net/research/smashing-the-state-machine [portswigger.net]
2023-08-10 16:24
tags:
concurrency
exploit
networking
security
web
HTTP request processing isn’t atomic - any endpoint might be sending an application through invisible sub-states. This means that with race conditions, everything is multi-step. The single-packet attack solves network jitter, making it as though every attack is on a local system. This exposes vulnerabilities that were previously near-impossible to detect or exploit.
source: L