This post is about a vulnerability in the Model Context Protocol (MCP) called “Line Jumping,” where malicious servers can inject prompts through tool descriptions to manipulate AI model behavior without being explicitly invoked, effectively bypassing security measures designed to protect users.
Trail of Bits’ Cyber Reasoning System “Buttercup” is competing in DARPA’s AI Cyber Challenge Finals, which now features increased budgets, multiple rounds, diverse challenge types, and the ability to use custom AI models.
We’re working on integrating an ASN.1 API into PyCA Cryptography,
built on top of the same Rust ASN.1 implementation already used by
Cryptography’s X.509 APIs.
This post describes a sophisticated social engineering campaign using Zoom’s remote control feature and provides technical solutions to protect organizations against this attack vector.
Snapshot Fuzzing enables security engineers to effectively test software that is traditionally difficult to analyze, such as kernels, secure monitors, and other complex targets that require non-trivial setup. Whether you’re auditing drivers or other kernel-mode components, including antivirus software, snapshot fuzzing provides a robust way to discover critical vulnerabilities. Consult our new Testing Handbook section for a walkthrough on how to conduct snapshot fuzzing on your system.
This post concludes a four-month performance study of OpenSearch and
Elasticsearch search engines across realistic scenarios using OpenSearch
Benchmark (OSB). Our full report includes the detailed findings and
comparison results of several versions of these two applications.
You and your team should incrementally update your threat model as your system changes, integrating threat modeling into each phase of your SDLC to create a Threat and Risk Analysis Informed Lifecycle (TRAIL). Here, we cover how to do that: how to further tailor the threat model we built, how to maintain it, when to update it as development continues, and how to make use of it.
In this blog, we’ll talk about our threat modeling process, TRAIL, which stands for Threat and Risk Analysis Informed Lifecycle. TRAIL enables us to trace and document the impact of flawed trust assumptions and insecure design decisions throughout each client’s system architecture and SDLC. Over time, multiple application security experts have refined TRAIL to provide maximal value for our clients and to minimize the effort required to update the threat model as the system changes.
In this blog, we’ll talk about one of our most popular, but rarely published report types and how adding threat modeling to your organization can save you from becoming the next billion-dollar headline.
We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects.
The $1.5B Bybit Hack demonstrates how the Era of Operational Security Failures has arrived, and most cryptocurrency companies are not prepared for its implications.
Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security.
TVM Ventures has selected Trail of Bits as its preferred security partner to strengthen the TON developer ecosystem. Through this partnership, we’ll lead the development of DeFi protocol standards and provide comprehensive security services to contest-winning projects deploying on TON. TVM Ventures will host ongoing developer contests where teams can showcase innovative applications that advance […]
Writing smart contracts requires a higher level of security assurance than most other fields of software engineering. The industry has evolved from simple ERC20 tokens to complex, multi-component DeFi systems that leverage domain-specific algorithms and handle significant monetary value. This evolution has unlocked immense potential but has also introduced an escalating number […]
This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. Imagine trying to log in to your centralized cryptocurrency exchange (CEX) account and your password and username just… don’t work. You […]
