Blog Posts

TL;DR ANSI escape sequences – a terminal feature from the 1970s – can be weaponized to deceive approval prompts in modern AI coding agents. By injecting cursor-manipulation codes into MCP server configurations, an attacker can hide malicious commands behind innocent-looking text, turning “human-in-the-loop” safety into security theatre. Introduction There is an arms race happening in…

Disclaimer: Throughout this post, we use the fictional company name “Acme, Inc” and product name “TrustMe AI” as aliases. We are not permitted to reveal the real company or product names. Any resemblance to actual company or product names is purely coincidental. TL;DR A popular AI coding agent quietly spins up a local web server…

Chaining Method Override and CSRF Vulnerabilities for Account Takeover As a security researcher, uncovering vulnerabilities that could potentially lead to severe security breaches is both challenging and rewarding. In this post, I will discuss a fascinating case involving method override and Cross-Site Request Forgery (CSRF) vulnerabilities, which could lead to an account takeover. Please note…

In this blog post, I detail how I uncovered a critical vulnerability in a popular online service’s password reset feature. Due to poor password reset implementation practices, I was able to gain unauthorized access to user accounts. In this research, I will lay out the thought process from a hacker’s perspective to achieve an account…