Hacking & Barbecue in the south of France What could possibly be better? Barbhack 2025 starts this Saturday August 30th at the Palais des Congrès Neptune in Toulon We are giving away a ticket to a student nearby looking to live the experience. Send us a DM with your name and school. We will notify the winner tonight.

BARBHACK Hacking conference

BARBHACK is organized by a team of ethical hackers and cybersec professionals you already know, supported by HackerZVoice association

Unrestrict the restricted mode for USB on iPhone. A first analysis @npub12h89...ac3t #CVE-2025-24200 👉

First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200) - Quarkslab's blog

Apple released iOS 18.3.1 (build 22D72) to patch a vulnerability tied to the Accessibility framework and reported by Citizen Lab. Let's analyze it!

Good tools are made of bugs: How to monitor your Steam Deck with one byte. Finding and exploiting two vulnerabilities in AMD's UEFI firmware for fun and gaming. A Christmas gift in February, brought to you by the incredible @Gwaby 🫶

Being Overlord on the Steam Deck with 1 Byte - Quarkslab's blog

In this blog post we explain the consequences of asking our R&D boss for a Steam Deck as a Christmas gift. It involves a couple of vulnerabilities,...

👋 Looking for some cool research opportunities in 2025? We still have an open position in our 2024-2025 internships season. Take a look and hurry up to submit, those satellites won't hack themselves

Internship Offers for the 2024-2025 Season - Quarkslab's blog

The internship season is back at Quarkslab! Our internship topics cover a wide range of our expertise and aim at tackling new challenges, namely:

Finding and chaining 4 vulns to exfiltrate encryption keys from the Android Keystore on Samsung series A* devices. Did you miss the "Attacking the Samsung Galaxy A* Boot Chain" talk by [@max_r_b](

bird.makeup - User

) and Raphaël Neveu earlier this year ? Talk && PoC || GTFO:

Attacking the Samsung Galaxy A* Boot Chain - Quarkslab's blog

We discovered several vulnerabilities impacting the boot chain of several Samsung devices. Chained together, they allow us to execute code in the b...

Don't you miss the golden era of SQL Injections? Here Mathieu Farrell (@Coiffeur) explains how to feel the thrill again with the aid of Apache Superset, XML and a bit of parsing tickery: "Bypass Apache Superset restrictions to perform SQL Injections"

Bypass Apache Superset restrictions to perform SQL injections - Quarkslab's blog

The following article explains how during an audit we took a look at Apache Superset and found bypasses (by reading the PostgreSQL documentation) f...

⚡ Operator Fabric is an open source platform built by the LF Energy Foundation (https://lfenergy.org/) for use in electricity, water and other utility operations. Last May we did a security audit sponsored by the Open Source Technology Improvement Fund (

OSTIF.org – Securing Open Source for the World

) 🙏 Read a summary of our findings and find the full report here:

Audit of Operator Fabric - Quarkslab's blog

Quarkslab was mandated by the Open Source Technology Improvement Fund, Inc. to proceed with the security assessment of the Operator Fabric project....

Are "MIFARE-compatible" contactless cards not playing fair? That's what you may wonder after @npub1g7yr...jmgp spotted some odd behavior. Curiosity led to experiments that resulted in devising a new attack technique that uncovered some backdoors, and here we are 🙀 The RFID hacking spirit lives on!

MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoors - Quarkslab's blog

We studied the most secure static encrypted nonce variant of "MIFARE Classic compatible" cards -- meant to resist all known card-only attac...