Brendan Dolan-Gavitt
@moyix.net
AI researcher at XBOW. Security, RE, ML. PGP http://keybase.io/moyix/
I had an amazing time at NYU and am particularly grateful to have had the opportunity to meet and advise so many incredible students. But right now is a unique moment in the history of computer science and I believe it’s one that, for me, is best pursued outside of academia.
July 30, 2025 at 12:35 AM
I had an amazing time at NYU and am particularly grateful to have had the opportunity to meet and advise so many incredible students. But right now is a unique moment in the history of computer science and I believe it’s one that, for me, is best pursued outside of academia.
I think this is the coolest of the vulns / exploits it came up with on our climb to #1 on HackerOne, but I am open to the possibility that it will find something even cooler tomorrow :)
July 28, 2025 at 10:15 PM
I think this is the coolest of the vulns / exploits it came up with on our climb to #1 on HackerOne, but I am open to the possibility that it will find something even cooler tomorrow :)
Such a cool exploit needs commensurately cool bling, so Alvaro (who wrote up the excellent post on this vuln) created this lovely little TUI so you can watch as it exfiltrates files from your server byte by byte
July 28, 2025 at 10:14 PM
Such a cool exploit needs commensurately cool bling, so Alvaro (who wrote up the excellent post on this vuln) created this lovely little TUI so you can watch as it exfiltrates files from your server byte by byte
So how do you precisely read a byte? Easy: you ask for the pixel histogram of a raw image consisting of byte [i...i+1] of the file. And you get back something like
histogram: [0, 0, 1, 0, 0], [59.8, 59.9, 60.0, 60.1, 60.2]
Telling you that the byte is ASCII 60 ('<')
histogram: [0, 0, 1, 0, 0], [59.8, 59.9, 60.0, 60.1, 60.2]
Telling you that the byte is ASCII 60 ('<')
July 28, 2025 at 10:13 PM
So how do you precisely read a byte? Easy: you ask for the pixel histogram of a raw image consisting of byte [i...i+1] of the file. And you get back something like
histogram: [0, 0, 1, 0, 0], [59.8, 59.9, 60.0, 60.1, 60.2]
Telling you that the byte is ASCII 60 ('<')
histogram: [0, 0, 1, 0, 0], [59.8, 59.9, 60.0, 60.1, 60.2]
Telling you that the byte is ASCII 60 ('<')
The second trick is also quite lovely. It had found that it could read arbitrary files, but how to return the data? The secret was in a /statistics endpoint that, among other things, could provide a histogram of the pixel values.
July 28, 2025 at 10:12 PM
The second trick is also quite lovely. It had found that it could read arbitrary files, but how to return the data? The secret was in a /statistics endpoint that, among other things, could provide a histogram of the pixel values.
To decode it, XBOW had to realize that the file contents had been encoded using an encoding that stores pixels as deltas from the previous pixel. So cool!
July 28, 2025 at 10:12 PM
To decode it, XBOW had to realize that the file contents had been encoded using an encoding that stores pixels as deltas from the previous pixel. So cool!
There are not one, but two different super-cool exfil tricks in this post. The first gets the app to exfiltrate the content of an arbitrary URL by encoding its bytes as raw pixels, giving the image we saw earlier.
July 28, 2025 at 10:11 PM
There are not one, but two different super-cool exfil tricks in this post. The first gets the app to exfiltrate the content of an arbitrary URL by encoding its bytes as raw pixels, giving the image we saw earlier.
The trick to how it did it is in this post: xbow.com/blog/xbow-ti... Some details below...
XBOW – Another Byte Bites the Dust - How XBOW Turned a Blind SSRF into a File Reading Oracle
A complete arbitrary local file read vulnerability achieved through an ingenious byte-by-byte exfiltration technique.
xbow.com
July 28, 2025 at 10:10 PM
The trick to how it did it is in this post: xbow.com/blog/xbow-ti... Some details below...
Thanks! Should be fixed
July 25, 2025 at 11:51 AM
Thanks! Should be fixed
Any grad student could tell you that's not true. You can get free lunch by just showing up to the start of the seminar, grabbing a slice of pizza, and getting away while the speaker is trying to get their laptop connected to AV
July 18, 2025 at 7:18 PM
Any grad student could tell you that's not true. You can get free lunch by just showing up to the start of the seminar, grabbing a slice of pizza, and getting away while the speaker is trying to get their laptop connected to AV
All credit here to Albert Ziegler, who came up with the idea and wrote a beautifully clear post about it :D I think this blog is also the most info we've released about how our agent actually works!
July 17, 2025 at 5:39 PM
All credit here to Albert Ziegler, who came up with the idea and wrote a beautifully clear post about it :D I think this blog is also the most info we've released about how our agent actually works!
Easy:
0: not interesting or true
1: interesting
2: true
3: interesting and true
0: not interesting or true
1: interesting
2: true
3: interesting and true
June 30, 2025 at 10:37 PM
Easy:
0: not interesting or true
1: interesting
2: true
3: interesting and true
0: not interesting or true
1: interesting
2: true
3: interesting and true
Yeah! Thinking back to even 18 months ago, it's kind of crazy to me that LLM agents actually kinda work?
June 30, 2025 at 7:52 PM
Yeah! Thinking back to even 18 months ago, it's kind of crazy to me that LLM agents actually kinda work?