I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage:

RT @cffsmith: I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Was…

@filpizlo Oh thanks! Means a lot coming from you!

@ret2src @offensive_con Thanks! Awesome to hear that it’s been helpful! :)

@alisaesage Presumably, yeah… although I think lockdown mode also disables Wasm, in which case you’d get the Wasm/Both entries from the JS/Wasm column as well I guess

@mistymntncop 😅 yeah these are cases where the bug triggers without JITs, but only causes some data structures to be left in an inconsistent state that are (currently) only used by optimizing compilers (and where we don't see another way to exploit it).

@0x10n The JS/Wasm column is probably better suited to answer what would happen if Wasm was disabled. Though I realize some entries should probably say "Both" there, so changed that now!

@0x_shaq Oh that’s really cool!

@thegrugq @daveaitel Since they are anyway all dead by now, I think this is fine 😁

This for example shows that the V8 Sandbox is pretty promising in terms of "bug coverage". Of course that also assumes that it'll become a strong security boundary (it's still pretty soft at the moment), see

@xvonfers It needs --enable-experimental-regexp-engine but still worth fixing :)

@xvonfers This is the bypass I demoed @offensive_con earlier this month. It's a pretty good one :)

@xvonfers Great work!

@alisaesage @mistymntncop I don't think so. The bug class back then was "different-bytecode-after-reparsing" because there's an invariant that reparsing of JS code must result in the exact same bytecode as the initial parsing. But this bug is different (here a DCHECK already fails during initial parsing)

@xvonfers There is also a WIP design document here: :)