Lightnews — Scholar-powered news

Marco Squarcina @minimalblue.bsky.social · Aug 25

🇦🇹 Team Austria placed 8th at #HITCON #CTF as part of the qualifier for #ECSC2025 in Warsaw. Everyone did a fantastic job, so proud of the team. We'll select the 10 final members in the next days, stay tuned!

@hitcon.org @tuwien.at @informatics.tuwien.ac.at @cysecwien.bsky.social @hofhackerei.at

3

Marco Squarcina @minimalblue.bsky.social · Aug 13

Meanwhile, our plane here in Vegas is "too heavy" and we can't take off. They are asking people to leave to reduce the weight. Please tell me this is perfectly normal.

Marco Squarcina @minimalblue.bsky.social · Aug 13

After a great run at #defcon33 #CTF, I'm heading to Seattle to attend #USENIX Sec. DM me if you'd like to meet up and join us Thursday at midday for our talk on #TapTrap (track 4) with @beerphilipp.bsky.social !

taptrap.click

@lindorfer.in @cysecwien.bsky.social @informatics.tuwien.ac.at

TapTrap: Animation‑Driven Tapjacking on Android

taptrap.click

2

Marco Squarcina @minimalblue.bsky.social · Aug 13

After a great run at #defcon33 #CTF, I'm heading to Seattle to attend #USENIX Sec. DM me if you'd like to meet up and join us Thursday at midday for our talk on #TapTrap (track 4) with @beerphilipp.bsky.social !

taptrap.click

@lindorfer.in @cysecwien.bsky.social @informatics.tuwien.ac.at

TapTrap: Animation‑Driven Tapjacking on Android

taptrap.click

Marco Squarcina @minimalblue.bsky.social · Aug 12

From starting @mhackeroni.bsky.social in 2018 to heading @hofhackerei.at to 9th place at @defcon.bsky.social #CTF finals this year: what a journey.

This team is amazing, I couldn't be prouder of all of them and the best is yet to come! 🔥

@cysecwien.bsky.social @tuwien.at @informatics.tuwien.ac.at

KuK Hofhackerei @hofhackerei.at · Aug 12

We got 9th place at @defcon.bsky.social #CTF! Props to all finalists for an intense fight over the past three days and congrats to MMM for taking the win.

Thanks to Nautilus Institute for the neat setup this year, we had a blast.

Until next time, Vegas!

#DEFCON #DEFCON33

6

Marco Squarcina @minimalblue.bsky.social · Aug 5

First wave of our team (me included) is on the way to @defcon.bsky.social #CTF. Huge thx to the companies and unis backing us, we're extremely grateful.

Special shoutout to @tuwien.at for the early support, as well as everyone who joined after.

We'll give our best, wish us luck!

See you Vegas 🌴🚩

KuK Hofhackerei @hofhackerei.at · Jul 28

Bringing 30 people to Las Vegas for DEFCON CTF is a massive challenge! Huge THANK YOU🙏 to our sponsors:

💎 Dynatrace, Erste Bank und Sparkasse
🥇 TU Wien, TU Graz, SBA Research
🥈 FH St. Pölten, JKU Linz, Bosch, Siemens
🛡️ Cyber Security Austria

You made this possible!

Sponsors and partners for KuK Hofhackerei, including Dynatrace, ERSTE SPARKASSE, TU Graz, TU Wien CY SEC, SBA Research, Bosch, Johannes Kepler University, Cyber Security Austria, and Siemens.

2

Marco Squarcina @minimalblue.bsky.social · Jul 23

Things were a bit different with Android this time, likely due to a functionality vs security trade-off that made it harder to address the issue in AOSP. Going forward, we'll continue reporting to Google but jointly disclose to GrapheneOS for any future Android-related issues.

1 9

Marco Squarcina @minimalblue.bsky.social · Jul 23

Completely agree. For context on our disclosure policy: we usually report issues to upstream first so that other vendors or projects can automatically benefit from the fix. This process has worked well so far with browser vendors. The Chrome team in particular has always been extremely responsive.

1 2

Marco Squarcina @minimalblue.bsky.social · Jul 23

By scanning the QR code you win a free color blindness test

1

Marco Squarcina @minimalblue.bsky.social · Jul 22

I'm part of the team that discovered the #TapTrap vulnerability. We confirmed that @grapheneos.org has properly fixed it, as detailed on our site taptrap.click

Despite a small factual error, it's good to see #GrapheneOS getting some media attention.

1 11 38

Reposted by Marco Squarcina

GrapheneOS @grapheneos.org · Jul 22

foxnews.com/tech/new-and...

> GrapheneOS, a security-focused operating system based on Android, confirmed that its current version is also affected. However, it plans to release a fix in its next update.

No, we said that on July 7 and then shipped grapheneos.org/releases#202... fixing it.

1 6 72

Marco Squarcina @minimalblue.bsky.social · Jul 21

ECSC 2025 prep has begun! First Team Austria qualifier wrapped up with 30 participants focusing on #ENOWARS and #DUCTF. Great vibes. Thanks to Ikarus Security for hosting us and everyone who joined! #ECSC2025 @tuwien.at @informatics.tuwien.ac.at @cysecwien.bsky.social

1

Marco Squarcina @minimalblue.bsky.social · Jul 17

And shoutout to my girlfriend for lending a hand - literally - for the photo! 💅

2

Marco Squarcina @minimalblue.bsky.social · Jul 17

Our #TapTrap attack got covered in @tuwien.at's news!

This was such a fun project. Congrats to @beerphilipp.bsky.social on his second first-author paper at a top-tier conference ❤️

We'll present the paper at #USENIX in Seattle on August 14 . Looking forward to catching up with some of you there!

TU Wien @tuwien.at · Jul 17

Scheinbar harmlose Apps können zur Falle werden. Sicherheitslücke bei Android-Handys aufgedeckt:
www.tuwien.at/tu-wien/aktu...

TU Wien deckt Android-Sicherheitslücke auf

Mit einer bisher unentdeckten Attacke können betrügerische Apps die Kontrolle über das Handy an sich reißen – aber die Lücke kann geschlossen werden.

www.tuwien.at

2 1

Marco Squarcina @minimalblue.bsky.social · Jul 15

Congrats to my co-lecturers @mautem.bsky.social, @matteomaffei.bsky.social, @wert310.bsky.social, Pedro Bernardo, @beerphilipp.bsky.social, Simon Jeanteur and our amazing tutors: this wouldn't be possible without you.

And thanks to all students for the great feedback and participation 🙏

1 3

Marco Squarcina @minimalblue.bsky.social · Jul 15

For the second year in a row, @tuwien.at students have nominated our Introduction to Security course among the finalists for the Best Teaching Award!

Balancing research, teaching & outreach isn't easy, but we give it our all.

🔗 www.tuwien.at/tu-wien/aktu...

CC @informatics.tuwien.ac.at

Das sind die Best Teaching Award-Finalist_innen 2025

Die Jury hat entschieden, für wen die Eulenjagd weitergeht.

www.tuwien.at

1 1 5

Marco Squarcina @minimalblue.bsky.social · Jul 11

ublock origin lite works quite well on Chrome (but please people keep using Firefox)

1

Marco Squarcina @minimalblue.bsky.social · Jul 10

This effort is the result of a collab w Sebastian Roth, @lindorfer.in and @beerphilipp.bsky.social who discovered the issue & did the heavy lifting. Thanks to @wwtf.at for making this research possible and supporting us ♥️

See you at #USENIX in Seattle next month!

@tuwien.at @cysecwien.bsky.social

2

Marco Squarcina @minimalblue.bsky.social · Jul 10

It works on Android 15 & 16, while @grapheneos.org issued a fix. Major browsers such as Chrome and Firefox promptly patched after we disclosed the vulnerability. We analyzed ~100K Play Store apps finding that TapTrap is not currently being exploited in the wild.

1 1 2

Marco Squarcina @minimalblue.bsky.social · Jul 10

Unlike classic tapjacking, TapTrap uses Android's built-in activity transition animations to launch a transparent activity on top of the attacker's app. The user thinks they're tapping a harmless button, but the tap goes to a permission/system prompt, a browser, or a sensitive app without notice.

1

Marco Squarcina @minimalblue.bsky.social · Jul 10

Our new Android attack, #TapTrap, is getting media coverage — so here's a quick explainer.

It's a new tapjacking technique that exploits Android's UI animations to hijack user taps without requiring any permissions. @beerphilipp.bsky.social will present it at #USENIX Sec'25.

🌐 taptrap.click

TapTrap: Animation‑Driven Tapjacking on Android

taptrap.click

1 2 5

Marco Squarcina @minimalblue.bsky.social · Jul 10

It has been an honor to organize the bootcamp for 3 years in a row, and I am proud that it's getting better every time. Thanks to CSA, @cysecwien.bsky.social, ENISA, Joe Pichlmayer, Manuel Reinsperger and the entire team for making this possible.

See you all next year ♥️ #CYBER #ECSC2025

TU Wien @tuwien.at · Jul 10

Die TU Wien war Gastgeberin der dritten Auflage des Wiener International Boot Camp for Ethical Hacking und begrüßte 150 Teilnehmer_innen aus zehn EU-Ländern und das Team Europe. Die dreitägige Veranstaltung bot intensive, praktische Schulungen und Networking. www.tuwien.at/tu-wien/aktu...

Drei Tage Ethical Hacking an der TU Wien

Das Wiener International Boot Camp for Ethical Hacking kehrt an die TU Wien zurück

www.tuwien.at

2

Reposted by Marco Squarcina

KuK Hofhackerei @hofhackerei.at · Jun 12

Help us choose our mascot! 🐾

Nautilus Institute is asking us to send them a animal mascot for the DEFCON CTF, and we need your help to pick the cutest contender!
Dive into the threat to meet the 8 adorable candidates.

#KuKHofhackerei #defcon33 #ctf #Mascot

1 1 2

Marco Squarcina @minimalblue.bsky.social · May 15

My team @kukhofhackerei.bsky.social is heading to the DEF CON CTF finals this August in Las Vegas 🔥

We're now looking for sponsors to help cover the trip. If you're interested in supporting us, please get in touch or share this around.

Call for sponsors at hofhackerei.at 🇦🇹

Thank you!

#CTF #DC33

KuK Hofhackerei - DEF CON 33 Sponsorship (Front)

KuK Hofhackerei - DEF CON 33 Sponsorship (Description)

KuK Hofhackerei - DEF CON 33 Sponsorship (Packages)

2 4

Marco Squarcina @minimalblue.bsky.social · Apr 14

After many years of battles with @mhackeroni.bsky.social, I'm blown away to announce that we've qualified for the #DEFCON CTF finals with KuK Hofhackerei 🇦🇹 this year!

New friends, same love. Couldn't be prouder of this team.

Thanks to nautilus.institute for organizing and see you in Vegas! 🚩

1 8

Marco Squarcina @minimalblue.bsky.social · Apr 1

The 2nd wave of challenges for the Austria Cyber Security Challenge #ACSC will be live in 1h! You have 1 month left to compete and prove your skills!

I contributed a hard web challenge this time, let's see who can solve it 👀

Ready? 👉 acsc.land

@informatics.tuwien.ac.at @cysecwien.bsky.social

Austria Cyber Security Challenge 2025

acsc.land

1