Gal Weizman

๐Ÿ  | Github | Twitter | Linkedin

Tags: Top | CVEs | Vulnerabilities | Security | JavaScript | Research | Anti-Debug | Supply-Chain-Security | The-Client-Side | Discovery | Browser | MetaMask | LavaMoat | Web3 | Featured-on-X |


What same origin iframes are used for?

04 Dec 2024 iframes can either share the origin of their embedder or not. While cross-origin iframes are highly useful and are well-used across the web, what are same-origin iframes used for? Aside for malicious ways to use such iframes, are there any legitimate use cases for them? This research will focus on finding the answer to this question

Is client side security dead - or a crucial part of the future?

10 Feb 2024 Client side security is a niche tech field that seems to be unneeded for the most part. As someone who's very passionate about it, that's something that's hard for me to accept. After Shubham Shah addressed this topic in his tweet, I elaborate into the mixed feelings I have with this field, as well as present my take on the industry and most importantly, strongly argue why I think client side security isn't dying - but in fact is more crucial now than was ever before.

MetaMask Wallet Security Threat Model - The Browser's Prespective [๐•]

21 Jan 2024 Debunking a recently published academic paper on browser wallets security proving browser wallets like MetaMask are in fact secure

Javascript Anti Debugging - Crashing the Devtools [๐•]

14 Nov 2023 Best way to prevent someone from researching and debugging your malicious code? Probably by just crashing it! This was possible up until recently, learn more

The Same Origin Concern - presenting to W3C [๐•]

03 Oct 2023 In 2023 on behalf of the MetaMask LavaMoat security team we have presented to W3C about the same origin concern and how we recommend addressing it

Proto Tree ๐ŸŒณ - A Way to Observe the JS Prototype Chain [๐•]

27 Jul 2023 The JavaScript prototype chain is complicated and hard to study, so shouldn't there be an online tool for that already?

MetaMask JavaScript Security Stack (Part 3 - Snow) [๐•]

14 Jul 2023 A series exploring the JavaScript security stack of the MetaMask browser wallet (part 3 - LavaMoat Snow)

MetaMask JavaScript Security Stack (Part 2 - Snow) [๐•]

07 Jul 2023 A series exploring the JavaScript security stack of the MetaMask browser wallet (part 2 - LavaMoat Snow)

MetaMask JavaScript Security Stack (Part 1 - scuttling) [๐•]

30 Jun 2023 A series exploring the JavaScript security stack of the MetaMask browser wallet (part 1 - LavaMoat scuttling)

DOM Clobbering - but with numbers?! [๐•]

23 Jun 2023 An interesting edge case of DOM Clobbering when using a number instead of a string

Introducing Snow โ„๏ธ [๐•]

04 Jan 2023 Introducing Snow JS, a JavaScript security tool for securing same origin realms as part of the MetaMask LavaMoat security toolbox

Realms Security [๐•]

19 Nov 2022 Let's understand realms security