Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).

Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other words, one hacker with an AI helper can work like an entire team of cybercriminals.

Plus: a joyous geek detour into keyboard history, and the most diabolically annoying, fully functional AI-generated CAPTCHA that you will love to inflict on your friends.

EPISODE LINKS:

• LegalPwn: Abusing Legal Disclaimers to Trigger Prompt Injections - Pangea Labs.
• LegalPwn: Tricking LLMs by burying badness in lawyerly fine print - The Register.
• LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code - HackRead.
• One long sentence is all it takes to make LLMs misbehave - The Register.
• Londoners give up eldest children in public Wi-Fi security horror show - The Guardian.
• Targeted social engineering is en vogue as ransom payment sizes increase - Coveware.
• State of Malware 2025 - ThreatDown.
• Cybercrime in the Age of AI - ThreatDown.
• Threat Intelligence Report: August 2025 - Anthropic.
• The Day Return Became Enter - Marcin Wichary.
• Ethan Mollick’s terrible AI-generated CAPTCHAs - Twitter.
• The very worst AI-generated CAPTCHA? - Claude.ai.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORED BY:

• Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".

We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault.

Then we time-hop to the post-quantum scramble: "harvest-now, decrypt later", Microsoft's 2033 quantum-safe pledge, and whether your printer will survive the update apocalypse.

All this, plus a gloriously dodgy URL “shadyfier,” and turning the iconic iMac G4 into a modern media hub.

All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Thom Langford.

EPISODE LINKS:

• DOM-based Extension Clickjacking: Your Password Manager Data at Risk - Marek Tóth.
• Major password managers can leak logins in clickjacking attacks - Bleeping Computer.
• Microsoft to Make All Products Quantum Safe by 2033 - Infosecurity Magazine.
• Shady URL.
• DockLite G4 - Juicy Crumb.
• I perfected the iMac G4 - YouTube.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".

In episode 431 of the "Smashing Security" podcast, a self-proclaimed crypto-influencer calling himself CP3O thought he had found a shortcut to riches — by racking up millions in unpaid cloud bills.

Meanwhile, we look at the growing threat of EDR-killer tools that can quietly switch off your endpoint protection before an attack even begins.

And for something a little different, we peek into the Internet Archive’s dystopian Wayforward Machine and take a detour to Mary Shelley’s resting place in Bournemouth.

All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Allan "Ransomware Sommelier" Liska.

Episode links:

• Crypto Influencer Sentenced to Prison for Multi-Million Dollar “Cryptojacking” Scheme - US Department of Justice.
• Ransomware crews don't care about your endpoint security – they've already killed it - The Register.
• Way Forward Machine - The Internet Archive.
• Mary Shelley’s grave - Atlas Obscura.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Sponsored by:

• Proton Drive - Protect your files with end-to-end encryption in Switzerland’s secure cloud — only on Proton Drive.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW US:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".

A poisoned Google Calendar invite that can hijack your smart home, a man is hospitalised after ChatGPT told him to season his food with… pesticide, and some thoughts on Superman’s latest cinematic outing.

All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley, joined this week by special guest Dave Bittner from The Cyberwire.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

• Invitation Is All You Need: Invoking Gemini for Workspace Agents with a Simple Google Calendar Invite - SafeBreach.
• Invitation attack curses - YouTube.
• Invitation attack opens shutters - YouTube.
• Guy Gives Himself 19th Century Psychiatric Illness After Consulting With ChatGPT - 404 Media.
• Superman (2025) trailer - YouTube.
• Billy Joel: And so it goes - HBO Max.
• Billy Joel: And so it goes trailer - YouTube.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Sponsored by:

• Proton - Break free from Gmail. You should be able to choose what happens to your data. With Proton, only you can read your emails.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".

Those of you who tuned in to last week's episode (#428) will have heard the big news from my podcast pal Carole that she's decided to move on from her co-hosting duties on the show.

There have been some lovely messages of support sent through for Carole, and indeed for me too. Thank you very much to all of you - it's really heatywarming to hear how much the last 428 episodes have meant to you all, and how much you want the show to go on.

And so - as I said last week - it will carry on. Next week there will be a regular edition of "Smashing Security" with a special guest well known to all of you, and I plan to carry on as normal every week with guests after that...

This week though I felt like I needed to catch my breath, and take a break. But I didn't want to leave you without something to listen to...

So, here is a special edition of "Smashing Security" with a couple of clips from recent episodes of its sister show "The AI Fix", which I co-host with Mark Stockley.

If you enjoy "The AI Fix," please do follow it in your favourite podcast apps and tell your friends!

Until next week, cheerio bye bye.

Episode links:

• The AI Fix.
• The AI Fix on Apple Podcasts.
• The AI Fix on Spotify.
• The AI Fix on Pocketcasts.
• The AI Fix on Overcast.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".

The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself - after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes.

Plus, Carole takes us down memory lane as she hangs up her co-host mic after 428 glorious episodes. Expect tea, tears, and Tom Lehrer.

All this is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

• Update regarding cybersecurity incident - Tea.
• Hackers steal images from women's dating safety app that vets men - BBC News.
• A Second Tea Breach Reveals Users’ DMs About Abortions and Cheating - 404 Media.
• American musical satirist Tom Lehrer dies at 97 - BBC News.
• Tom Lehrer website.
• Tom Lehrer sings The Elements, live in Copenhagen, 1967 - YouTube.
• Tom Lehrer sings “New Math” (animated) - YouTube.
• Carole’s Substack.
• Libby - Library app.
• Shokz UK.
• Two Birds Yoga - YouTube.
• Thermapen.
• BBC Sounds.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Sponsored by:

• Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
• Trelica by 1Password - Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps - whether managed or unmanaged.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.