Saturday 9 May 2026

Google's updated reCAPTCHA (rebranded as "Cloud Fraud Defense") relies on device attestation signals tied to Google Play Services, silently breaking verification for users running de-Googled Android (e.g. GrapheneOS, CalyxOS). Users are locked out of websites with no fallback, and the mechanism is linked to the previously controversial Web Environment Integrity proposal.

AI tooling is disrupting established security vulnerability disclosure norms: it accelerates exploit development from published CVEs (compressing patch windows) while simultaneously making it harder to distinguish responsible disclosure from noise, threatening both "full disclosure" and "coordinated disclosure" cultures.

Meta has rolled back end-to-end encryption for Instagram DMs, removing a previously available privacy feature from users without an opt-in alternative, representing a regression in messaging security on the platform.

A local privilege escalation vulnerability in Linux's io_uring ZCRX subsystem stems from a type confusion/freelist management bug, exploitable with a single attacker-controlled u32 value to gain root. The postmortem exposes how complex kernel async I/O infrastructure introduces subtle, high-severity memory safety gaps.

A mathematician recounts a session with ChatGPT 5.5 Pro where the model produced plausible-looking but subtly incorrect mathematical reasoning, raising concerns about how difficult it is to detect confident-sounding AI errors in expert domains — even for specialists.