In a groundbreaking revelation set to be unveiled at BSides San Francisco 2025, SquareX researchers Jeswin Mathai and Audrey Adeline are preparing to shed light on a new wave of data exfiltration techniques. Their presentation, titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out,” aims to showcase innovative methods that can enable attackers to bypass traditional Data Loss Protection (DLP) measures and access sensitive information.
The significance of Data Loss Protection (DLP) cannot be overstated in today’s corporate landscape, as data breaches can lead to severe consequences such as intellectual property theft, regulatory violations, financial penalties, and damage to reputation. With a significant portion of corporate data now residing in the cloud, web browsers have become a critical tool for employees to handle, share, and create data. This increased reliance on browsers has made them prime targets for both external hackers and internal threats, posing a significant challenge to existing endpoint and cloud DLP solutions.
One of the key hurdles in maintaining data security within browsers lies in the complexity of managing multiple user identities, a vast array of sanctioned and unsanctioned SaaS applications, and the numerous pathways through which sensitive data can travel across these platforms. Unlike managed devices where IT departments have control over software installations, employees have the freedom to subscribe to various SaaS services independently, creating potential vulnerabilities in data protection.
Audrey Adeline, a researcher at SquareX, emphasizes the transformative nature of data splicing attacks, stating that they represent a significant shift in the landscape of insider threats and cyberattacks targeting enterprise data. By exploiting vulnerabilities in modern browser features that were not present when existing DLP solutions were developed, these attacks can bypass traditional security measures, leaving sensitive data uninspected and exposed to exploitation. Given the widespread use of SaaS applications and cloud storage services by contemporary workforces, organizations must recognize the inherent risks posed by data splicing attacks.
As part of their presentation, Mathai and Adeline will introduce “Angry Magpie,” an open-source toolkit designed to help penetration testers and red teams assess the effectiveness of their current DLP solutions against Data Splicing Attacks. By providing a practical tool for evaluating organizational vulnerabilities, SquareX aims to raise awareness about the urgent need for enhanced data loss protection strategies among enterprises and cybersecurity vendors.
Following their appearance at BSides San Francisco, the SquareX team will continue their dialogue on browser security threats at RSAC 2025, where they will be available for further discussions and demonstrations at Booth S-2361 in the South Expo area. Through their ongoing research efforts, SquareX remains committed to identifying and addressing critical vulnerabilities in browser security, with a focus on advancing industry-wide best practices for mitigating web-based cyber threats.
The speakers, Jeswin Mathai and Audrey Adeline, bring a wealth of experience and expertise to the field of cybersecurity. Mathai, as Chief Architect at SquareX, has led the development of the company’s infrastructure and has a track record of presenting at prestigious international cybersecurity conferences. Adeline, the lead of the Year of Browser Bugs project at SquareX, has made significant contributions to identifying browser vulnerabilities and enhancing cybersecurity education initiatives.
SquareX’s pioneering Browser Detection and Response (BDR) technology offers organizations a proactive approach to defending against client-side web attacks in real-time. By focusing on research-driven strategies for browser security, SquareX has been at the forefront of identifying and remedying critical browser vulnerabilities, such as Last Mile Reassembly Attacks, Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware.
In conclusion, the findings and insights to be presented by SquareX researchers at BSides San Francisco 2025 are poised to reshape the cybersecurity landscape, prompting organizations to reevaluate their data protection strategies and enhance their defenses against emerging threats. By fostering a culture of continuous innovation and collaboration, SquareX remains dedicated to addressing the evolving challenges of cybersecurity in an increasingly digital world.
For further information and inquiries, please contact Junice Liew, Head of PR at SquareX, at junice@sqrx.com.
Join our LinkedIn group Information Security Community for the latest updates and discussions on cybersecurity trends and best practices.