Mitja Kolsek
@mkolsek.bsky.social
CEO of ACROS Security; Co-founder of 0patch (https://0patch.com)
Wishing billionaires would stop buying social platforms and making us rebuild synapses elsewhere
https://acrossecurity.com
Wishing billionaires would stop buying social platforms and making us rebuild synapses elsewhere
https://acrossecurity.com
Reposted by Mitja Kolsek
Zimperium has discovered more than 760 Android apps that steal and relay NFC data to a remote attacker
zimperium.com/blog/tap-and...
zimperium.com/blog/tap-and...
Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices
NFC relay malware on Android devices is exploiting Tap-to-Pay systems, targeting financial institutions globally with sophisticated attacks and minimal user interaction.
zimperium.com
October 30, 2025 at 3:29 PM
Zimperium has discovered more than 760 Android apps that steal and relay NFC data to a remote attacker
zimperium.com/blog/tap-and...
zimperium.com/blog/tap-and...
Reposted by Mitja Kolsek
Aardvark is a labor of love and mission for the whole team. We are super excited to bring it to you. Sign up for the beta immediately!!! openai.com/index/introd...
Introducing Aardvark: OpenAI’s agentic security researcher
Now in private beta: an AI agent that thinks like a security researcher and scales to meet the demands of modern software.
openai.com
October 30, 2025 at 6:15 PM
Aardvark is a labor of love and mission for the whole team. We are super excited to bring it to you. Sign up for the beta immediately!!! openai.com/index/introd...
Reposted by Mitja Kolsek
The latest WindowsUpdate disables Windows Explorer previews for files that were downloaded from the Internet or are on Internet Zone network shares.
gist.github.com/ericlaw1979/...
gist.github.com/ericlaw1979/...
October 17, 2025 at 4:36 PM
The latest WindowsUpdate disables Windows Explorer previews for files that were downloaded from the Internet or are on Internet Zone network shares.
gist.github.com/ericlaw1979/...
gist.github.com/ericlaw1979/...
Reposted by Mitja Kolsek
Need a summary of all the ways the White House has gutted science?
🧪Or are you scientist who needs to hear your work valorized in song?
From brilliant songwriter, Elle Cordova:
“If they don’t like the data in your graphs/they’ll just turn the lights out in your lab”
youtube.com/shorts/AYm9w...
🧪Or are you scientist who needs to hear your work valorized in song?
From brilliant songwriter, Elle Cordova:
“If they don’t like the data in your graphs/they’ll just turn the lights out in your lab”
youtube.com/shorts/AYm9w...
For our scientists
YouTube video by Elle Cordova
youtube.com
September 24, 2025 at 4:09 PM
Need a summary of all the ways the White House has gutted science?
🧪Or are you scientist who needs to hear your work valorized in song?
From brilliant songwriter, Elle Cordova:
“If they don’t like the data in your graphs/they’ll just turn the lights out in your lab”
youtube.com/shorts/AYm9w...
🧪Or are you scientist who needs to hear your work valorized in song?
From brilliant songwriter, Elle Cordova:
“If they don’t like the data in your graphs/they’ll just turn the lights out in your lab”
youtube.com/shorts/AYm9w...
Reposted by Mitja Kolsek
Come work with me on Microsoft Defender for Endpoint!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
Search Jobs | Microsoft Careers
jobs.careers.microsoft.com
September 18, 2025 at 6:23 PM
Come work with me on Microsoft Defender for Endpoint!
jobs.careers.microsoft.com/global/en/jo...
jobs.careers.microsoft.com/global/en/jo...
Reposted by Mitja Kolsek
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Mitja Kolsek
If you want to understand the struggle anyone doing input validation has, just look at ver 16.0 of the unicode standard: unicode.org/versions/Uni...
Unicode 16.0 adds 5185 characters, for a total of 154,998 characters
244 pages.
yeah, good luck with that.
Unicode 16.0 adds 5185 characters, for a total of 154,998 characters
244 pages.
yeah, good luck with that.
Unicode 16.0.0
unicode.org
August 29, 2025 at 11:08 AM
If you want to understand the struggle anyone doing input validation has, just look at ver 16.0 of the unicode standard: unicode.org/versions/Uni...
Unicode 16.0 adds 5185 characters, for a total of 154,998 characters
244 pages.
yeah, good luck with that.
Unicode 16.0 adds 5185 characters, for a total of 154,998 characters
244 pages.
yeah, good luck with that.
Reposted by Mitja Kolsek
Five-ish years ago, @lizthegrey.com told me tech workers needed to organize because the tech giants would automate their jobs, the market would flood with talent and they would lose bargaining power. I thought it was unlikely. Here’s a story about me being wrong. www.nytimes.com/2025/08/04/t...
So Long to Tech’s Dream Job
www.nytimes.com
August 4, 2025 at 3:04 PM
Five-ish years ago, @lizthegrey.com told me tech workers needed to organize because the tech giants would automate their jobs, the market would flood with talent and they would lose bargaining power. I thought it was unlikely. Here’s a story about me being wrong. www.nytimes.com/2025/08/04/t...
Reposted by Mitja Kolsek
I'm exploring new engagements! If your team needs expertise in cybersecurity, risk assessment, tech policy, regulations (GDPR, etc.), tech standards, strategic insight, or Comms/PR, let's talk! Open to contract, or flexible roles. DM/email at me@lukaszolejnik.com.
April 9, 2025 at 2:30 PM
I'm exploring new engagements! If your team needs expertise in cybersecurity, risk assessment, tech policy, regulations (GDPR, etc.), tech standards, strategic insight, or Comms/PR, let's talk! Open to contract, or flexible roles. DM/email at me@lukaszolejnik.com.
Reposted by Mitja Kolsek
Morning in Kyiv. No sleep. Air quality is extremely bad. City is covered in thick smoke.
This is Russian terror, aimed at people who chose to stay, resist and fight.
This is Russian terror, aimed at people who chose to stay, resist and fight.
July 4, 2025 at 6:31 AM
Morning in Kyiv. No sleep. Air quality is extremely bad. City is covered in thick smoke.
This is Russian terror, aimed at people who chose to stay, resist and fight.
This is Russian terror, aimed at people who chose to stay, resist and fight.
Re-reading Stumbling on happiness by @danielgilbert.bsky.social and loving every page again. Relatable facts, interesting actual and thought experiments wrapped in just my type of humor.
July 3, 2025 at 10:14 AM
Re-reading Stumbling on happiness by @danielgilbert.bsky.social and loving every page again. Relatable facts, interesting actual and thought experiments wrapped in just my type of humor.
OAuth is hard and we often find security flaws, but this is next level. Kudos to Modzero.
Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. 🤓
#synology #disclosure #modzero
modzero.com/en/blog/when...
#synology #disclosure #modzero
modzero.com/en/blog/when...
When Backups Open Backdoors: Accessing Sensitive Cloud Data via
modzero.com
June 29, 2025 at 10:24 AM
OAuth is hard and we often find security flaws, but this is next level. Kudos to Modzero.
Reposted by Mitja Kolsek
A friendly reminder from the Patron Saint of the Internet, Deth Veggie
Once again, I would like to you remind you all of Deth Veggie's First Law of the Internet:
LIE TO EVERY SINGLE SITE ABOUT EVERY SINGLE THING YOU CAN.
Fake names. Fake birthdays. Fake pet names. Fake first schools and mother's maiden names and favourite foods and... just... everything.
LIE TO EVERY SINGLE SITE ABOUT EVERY SINGLE THING YOU CAN.
Fake names. Fake birthdays. Fake pet names. Fake first schools and mother's maiden names and favourite foods and... just... everything.
If you are deleting social media ~48 before your flight to the US, *it is already too late.*
June 26, 2025 at 3:49 AM
A friendly reminder from the Patron Saint of the Internet, Deth Veggie
Reposted by Mitja Kolsek
Threat actors are exploiting a recently patched vulnerability in the Roundcube webmail server.
Attacks began two days after a patch was published on GitHub.
FearsOff believes attackers bin-diffed the code before a final patch was ready and started exploiting servers.
fearsoff.org/research/rou...
Attacks began two days after a patch was published on GitHub.
FearsOff believes attackers bin-diffed the code before a final patch was ready and started exploiting servers.
fearsoff.org/research/rou...
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]
A deep technical breakdown of CVE-2025-49113, a critical Roundcube vulnerability involving PHP session serialization. Learn how the bug was discovered, exploited, and responsibly disclosed with full P...
fearsoff.org
June 5, 2025 at 11:28 AM
Threat actors are exploiting a recently patched vulnerability in the Roundcube webmail server.
Attacks began two days after a patch was published on GitHub.
FearsOff believes attackers bin-diffed the code before a final patch was ready and started exploiting servers.
fearsoff.org/research/rou...
Attacks began two days after a patch was published on GitHub.
FearsOff believes attackers bin-diffed the code before a final patch was ready and started exploiting servers.
fearsoff.org/research/rou...
Reposted by Mitja Kolsek
Volkswagen fixed vulnerabilities in its mobile app that could allow attackers to hijack user accounts and retrieve car/owner details.
The app lacked brute-force protection, stored internal credentials in plaintext, and exposed any car owner's details via a VIN.
loopsec.medium.com/hacking-my-c...
The app lacked brute-force protection, stored internal credentials in plaintext, and exposed any car owner's details via a VIN.
loopsec.medium.com/hacking-my-c...
Hacking My Car, and probably yours— Security Flaws in Volkswagen’s App
This flaw made me the owner of thousands of cars (sort of).
loopsec.medium.com
May 18, 2025 at 2:16 PM
Volkswagen fixed vulnerabilities in its mobile app that could allow attackers to hijack user accounts and retrieve car/owner details.
The app lacked brute-force protection, stored internal credentials in plaintext, and exposed any car owner's details via a VIN.
loopsec.medium.com/hacking-my-c...
The app lacked brute-force protection, stored internal credentials in plaintext, and exposed any car owner's details via a VIN.
loopsec.medium.com/hacking-my-c...
Reposted by Mitja Kolsek
You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraudulent payment.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
🧵 1/4
The caller says they're from your bank and they're calling about a suspected fraudulent payment.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
🧵 1/4
May 3, 2025 at 8:32 AM
You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraudulent payment.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
🧵 1/4
The caller says they're from your bank and they're calling about a suspected fraudulent payment.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
🧵 1/4
Reposted by Mitja Kolsek
Reposted by Mitja Kolsek
By me @forbes.com: Roll up, roll up, you legacy-loving loons, get your Windows 7 and Windows Server 2008 R2 security updates here. #kudos @0patch.bsky.social and @mkolsek.bsky.social
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
New Windows 7 And Windows Server 2008 Security Updates Confirmed
Users of end-of-support Windows 7 and Windows Server 2008 platforms are advised of the availability of new security updates.
www.forbes.com
April 29, 2025 at 1:32 PM
By me @forbes.com: Roll up, roll up, you legacy-loving loons, get your Windows 7 and Windows Server 2008 R2 security updates here. #kudos @0patch.bsky.social and @mkolsek.bsky.social
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
Reposted by Mitja Kolsek
By me @forbes.com: Maybe Microsoft just needs to buy @0patch and be done with it? The security hotpatching needs of the many outweigh the needs of the few, as Mr Spock so famously said.
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
No Reboot Security Updates Come To Windows 11 — But There’s A Catch
Imagine being able to update Windows 11 with security patches but without rebooting. Well, now you can. But there’s a catch.
www.forbes.com
April 14, 2025 at 1:56 PM
By me @forbes.com: Maybe Microsoft just needs to buy @0patch and be done with it? The security hotpatching needs of the many outweigh the needs of the few, as Mr Spock so famously said.
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
Reposted by Mitja Kolsek
By me @forbes.com: Pass the hash, anyone? New NTLM zero-day with no Microsoft fix confirmed. #kudos @mkolsek.bsky.social for this one.
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
Windows Passwords At Risk As New 0-Day Confirmed—Act Now
New Windows password hash-stealing threat has no official fix. Here's how to stay protected for now.
www.forbes.com
March 26, 2025 at 11:13 AM
By me @forbes.com: Pass the hash, anyone? New NTLM zero-day with no Microsoft fix confirmed. #kudos @mkolsek.bsky.social for this one.
#infosec
www.forbes.com/sites/daveyw...
#infosec
www.forbes.com/sites/daveyw...
Reposted by Mitja Kolsek
Anyone who says they never fell for a phish or other online scam is either lying or doesn't use the Internet. We have all been there.
Well done to @troyhunt.com for being so open about his experience so that we can all learn from it
Well done to @troyhunt.com for being so open about his experience so that we can all learn from it
It finally happened - I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: www.troyhunt.com/a-sneaky-phi...
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish h...
www.troyhunt.com
March 25, 2025 at 9:16 AM
Anyone who says they never fell for a phish or other online scam is either lying or doesn't use the Internet. We have all been there.
Well done to @troyhunt.com for being so open about his experience so that we can all learn from it
Well done to @troyhunt.com for being so open about his experience so that we can all learn from it
Signature based security only stops script kiddies. Always has.
Signature based security (partial list):
- AV/EDR/IDS
- virtual patches
NOT signature-based security (partial list):
- actual security patches
- canaries
- firewalls
- application control
- MFA
www.wietzebeukema.nl/blog/bypassi...
Signature based security (partial list):
- AV/EDR/IDS
- virtual patches
NOT signature-based security (partial list):
- actual security patches
- canaries
- firewalls
- application control
- MFA
www.wietzebeukema.nl/blog/bypassi...
Bypassing Detections with Command-Line Obfuscation
Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits exec...
www.wietzebeukema.nl
March 24, 2025 at 12:45 PM
Signature based security only stops script kiddies. Always has.
Signature based security (partial list):
- AV/EDR/IDS
- virtual patches
NOT signature-based security (partial list):
- actual security patches
- canaries
- firewalls
- application control
- MFA
www.wietzebeukema.nl/blog/bypassi...
Signature based security (partial list):
- AV/EDR/IDS
- virtual patches
NOT signature-based security (partial list):
- actual security patches
- canaries
- firewalls
- application control
- MFA
www.wietzebeukema.nl/blog/bypassi...
Reposted by Mitja Kolsek
I’m the Canadian who was detained by Ice for two weeks. It felt like I had been kidnapped
I’m the Canadian who was detained by Ice for two weeks. It felt like I had been kidnapped
I was stuck in a freezing cell without explanation despite eventually having lawyers and media attention. Yet, compared with others, I was lucky
www.theguardian.com
March 19, 2025 at 10:16 AM
I’m the Canadian who was detained by Ice for two weeks. It felt like I had been kidnapped