Trail of Bits Tribune
September 2025
|
|
|
Our engineers discovered an attack that embeds prompts into images that are invisible to humans at full resolution, yet are interpreted as instructions by LLMs after the AI systems’ automated image rescaling. Through this technique, we achieved data exfiltration across multiple Google services, including Gemini CLI, Vertex AI Studio, Google Assistant, and third-party systems like Genspark.
Meanwhile, Darius Houle, a new hire shadowing his very first project, found a way to locally backdoor Signal, 1Password, Slack, and Chrome by tampering with V8 heap snapshot files to bypass all existing code integrity checks. His finding affects nearly all applications built on the Chromium engine and earned CVE-2025-55305.
|
|
This month in talk and text
|
|
|
AI/ML
-
We weaponized image scaling algorithms to insert prompt injections that are invisible at full resolution but are revealed when downscaled, achieving data exfiltration on Gemini CLI, Vertex AI Studio, Google Assistant, and Genspark.
- Our business operations intern built two AI automation tools that are now used company-wide: a podcast workflow that could save 1,250+ hours of listening annually and a Slack exporter that enables single-query searches across all company knowledge.
Application Security
Blockchain
-
At EthCC[8], Ben Samuels made the case for abandoning Bitcoin-era cold storage, which creates catastrophic single points of failure. Instead, Ethereum's programmability enables self-protecting wallets that enforce security policies at the protocol level, remaining secure even when multisig keys are fully compromised through rate limits, timelocks, and role separation.
- EIP-7730 eliminates blind signing by displaying human-readable transaction details on hardware wallets. Implementation requires only a JSON manifest file, making secure signing accessible to every dapp.
Research
|
|
|
Our commitment to reduce risk and fortify code is on display this month with five new public reviews.
-
Meta WhatsApp Private Processing: Meta's confidential computing service enables AI features in WhatsApp messages while preserving privacy guarantees against external parties and privileged insiders. Our 12 engineer-week review of the infrastructure and confidential VMs identified 28 findings, including eight high-severity issues around data exposure and cryptographic implementation.
-
Discord E2EE WebAssembly: Discord's integration of WebAssembly-based cryptography into its libDAVE cryptography library enables secure messaging functionality. After three engineer-weeks of testing, we found no security issues and commended the excellent code organization and documentation standards.
-
Gemini Smart Wallet: Gemini's self-custodial, embedded cryptocurrency wallet uses account abstraction instead of storing private keys locally. We found clickjacking vulnerabilities and transaction parameter manipulation issues, highlighting insufficient testing coverage.
-
Swap Coffee: Swap Coffee is a TON-based decentralized exchange offering trading functionality on the TON blockchain. We found high-severity issues that could enable access control bypass or theft of funds.
- EVAA: EVAA is a lending protocol operating on the TON blockchain that enables users to borrow and lend digital assets. We found that while the system demonstrated thoughtful engineering practices and design decisions, its complexity introduced potential attack vectors.
View all of our public reviews on our GitHub page.
|
|
|
Here are the tool and library updates we’ve made since the last newsletter:
-
Algo VPN v2.0.0: Major security and performance overhaul of our personal VPN setup tool. Certificate Authority (CA) constraints prevent certificate reuse across deployments, refactored PKI management replaces legacy OpenSSL scripts with Ansible crypto modules, and comprehensive optimizations deliver 30–60% faster deployments. Breaking changes include the Python 3.11+ requirement and deployment-specific CA constraints.
-
ML-DSA v0.1.0: First release of our FIPS-204 (ML-DSA) post-quantum digital signature implementation in Go. The implementation focuses on constant-time operations for security, though it hasn't been externally audited yet.
-
weAudit v1.3.1: Update for our collaborative code review VS Code extension with support for multiple workspaces, Bitbucket permalink integration, username configuration options, and navigation commands for partially audited regions.
- Medusa v1.3.1: Bug fixes for our Solidity smart contract fuzzer including automated library linking improvements, event management fixes, and enhanced coverage reporting with exclusion filters.
|
|
|
Reach out to us if you’re interested in learning more about our security consulting services, designed to tackle complex technical challenges.
|
|
-
DeCompute (September 30), Singapore
-
TOKEN2049 (October 1–2), Singapore
-
Offensive AI Con (October 5–8), San Diego
-
JawnCon 0x2 (October 10–11), Philadelphia: Evan Sultanik will present a talk on how language-theoretic security relates to LLM security.
-
Objective by the Sea (October 12–17), Ibiza, Spain: Paweł Płatek will present a user-to-root local privilege escalation (LPE) exploit against macOS.
-
Ringzer0 Countermeasure (November 3–7), Ottawa, Canada: Henrik Brodin and Ronald Eytchison will talk about making automated vulnerability discovery and patching with our tool, Buttercup, accessible to everyone.
- NeurIPS (December 2–7), San Diego
|
|
|
Welcome to our new team members:
-
Adrian Piaschyk, Senior Sales Engineer, R&E
-
Evan Hellman, R&E
-
Jennifer Halfmann, Senior Account Executive, GTM
|
|
|
Visit our Careers page to learn about these roles and our perks or share your info for future roles!
|
|
|
Thereasa Roy's Tele is getting resourceful in her old age, using her toys as pillows
|
|
|
|
|
