SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions

PALO ALTO, Calif., April 16, 2025 — SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser.
DLP is a core pillar of every enterprise security stack. Data breaches can
result in severe consequences including IP loss, regulatory violations, fines,
and severe reputational damage. With over 60% of corporate data being stored in
the cloud, browsers have become the primary way for employees to create, access
and share data. Consequently, the browser has become a particularly attractive
target for external attackers and insider threats alike. Yet, existing endpoint
and cloud DLP solutions have limited telemetry and control over how employees
are interacting with data on the browser.
Additionally, there are several unique challenges when
it comes to maintaining data lineage in the browser. This includes managing
multiple personal and professional identities, the wide landscape of sanctioned
and shadow SaaS apps and the numerous pathways in which sensitive data can flow
between these apps. Unlike managed devices where enterprises have full control
on what can be installed on the device, employees can easily sign up to various
SaaS services without the IT team’s knowledge or oversight.
SquareX researcher Audrey Adeline says, “Data splicing
attacks are a complete game changer for insider threats and attackers that are
seeking to steal information from enterprises. They exploit newer browser
features that were invented long after existing DLP solutions and thus the data
exfiltrated using these techniques are completely uninspected, resulting in
full bypasses. With today’s workforce heavily relying on SaaS apps and cloud
storage services, any organization that uses the browser is vulnerable to data
splicing attacks.”
As part of the talk, they will also be releasing an
open source toolkit, “Angry Magpie”, which will allow pentesters and red teams
to test their existing DLP stack and better understand their organization’s
vulnerability to Data Splicing Attacks.
SquareX hopes that the research will highlight the severe threats that
browsers pose on data loss and serve as a call to action for enterprises and
vendors alike to re-think their data loss protection strategies.
Upon the completion of BSides San Francisco, the
SquareX team will also be presenting at RSAC 2025 and will be available at
Booth S-2361, South Expo for further discussions on the research.
Talk Details:
Title: Data Splicing Attacks: Breaking Enterprise DLP from the
Inside Out
Speakers: Jeswin Mathai and Audrey
Adeline
Event: BSides San Francisco 2025
Location: San Francisco, CA
Toolkit Release: Angry Magpie (Open
Source)
About the Speakers:
Jeswin Mathai, Chief
Architect, SquareX
Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the
design and implementation of the company's infrastructure. A seasoned speaker
and researcher, Jeswin has showcased his work at prestigious international
stages such as DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon
Village, and Demo Labs at DEFCON. He has also imparted his knowledge globally,
training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP
NZ Day. He is also the creator of popular open-source projects such as AWSGoat,
AzureGoat, and PAToolkit.
About the Speakers:
Audrey Adeline, Researcher
Audrey
currently leads the Year of Browser Bugs (YOBB) project at SquareX which has
disclosed multiple major architectural browser vulnerabilities to date. She is
also a published author of The Browser Security Field Manual. Key discoveries
from YOBB include Polymorphic Extensions, Browser Ransomware and Browser
Syncjacking, all of which have been covered by major publications such as
Forbes, Bleeping Computer and Mashable. She is passionate about furthering
cybersecurity education and has run multiple workshops with Stanford University
and Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a
cybersecurity investor at Sequoia Capital and graduated from the University of
Cambridge with a degree in Natural Sciences.
About SquareX:
SquareX’s industry-first Browser Detection and Response
(BDR) helps organizations detect, mitigate and threat-hunt client-side web
attacks targeting employees happening against their users in real time. This
includes defending against identity attacks, malicious extensions,
spearphishing, browser data loss and insider threats.
SquareX
takes a research and attack-focused approach to browser security. SquareX’s
dedicated research team was the first to discover and disclose multiple pivotal
attacks, including Last Mile Reassembly
Attacks, Browser Syncjacking, Polymorphic
Extensions and Browser-Native
Ransomware. As part of the Year of Browser Bugs (YOBB) project,
SquareX commits to continue disclosing at least one major architectural browser
vulnerability every month.