Reflections on 2025
- Thoughts on the Year
- Roughly Speaking
- Diving into the World of Security
- Putting Effort into Bug Hunting
- Chromium UAF
- Edge UI Spoofing (CVE-2025-26643)
- Brave crash
- Working Hard on Browser Development
- Participating in Many Events
- Able to Do New Things
- Went to Many Overseas Conferences
- Goals in 2026
- What I Did
- January
- February
- March
- April
- May
- June
- July
- August
- September
- October
- November
- December
- Finally
Thoughts on the Year
Roughly Speaking
- It was a year where I dove deep into the worlds of security, bug hunting, and hardware hacking. In particular, I'm happy that I managed to start finding bugs in browsers.
- I think I worked hard on browser development, too. However, I wanna do even more next year. I'm currently in the middle of drilling the basics of C++. I just have to keep going.
Diving into the World of Security
I changed jobs and jumped into the world of security. It was an area I had been interested in for a long time, but actually doing it has been incredibly interesting. It's technically fascinating, and I feel the sec people are a bit different from those in the dev world. So it felt like the start of a new adventure. Everything was fresh and truly exciting!
Putting Effort into Bug Hunting
I started doing bug hunting as a hobby. At first, I was looking at Web apps and extensions, but halfway through, I shifted my focus to browsers. Recently, I've been looking only at browsers.
The only three that have been disclosed so far are:
Chromium UAF
My first Chromium bounty. It is a crash likely UAF by classic JS re-entrancy via then getter and awarded $4000 including patch and bisect :)
Edge UI Spoofing (CVE-2025-26643)
It was the first bug I reported about a browser, so it was moving for me :)
Brave crash
This really isn't a big deal, but I was super happy to find a vulnerability in a browser that wasn't just a variant-rollout of someone else's finding.
Actually, I managed to make several other reports that are even more interesting. I hope to write articles about them once they are disclosed.
Recently, I've only been looking for memory-related bugs in bug hunting. I think this was a year where I became much more knowledgeable about C++ and memory.
Combined with the fact that a lot of my work time involves code reading, I think I spent more time reading code this year than at any other point in my engineering career. I read various kinds of code.
What I realized is that code reading is like shining a light on an object to observe it. Depending on how you shine the light, what you see changes. While one part jumps out at you, other parts get hidden in the shadows. If you shine the light from a security angle, you might notice IDORs or UaFs, but the elegance of the design or the efficiency of the processing (though we do consider it when thinking about DoS etc.) might slip through. I think it would be fun to be able to read code in various ways. Also, as a quick tip: I realized again that it's important to scan the whole thing first and then read with varying degrees of focus.
Next year, I plan to dig into JS engines. I think it's the hottest area in browsers right now, so I wanna do my best 👶
Working Hard on Browser Development
I was able to work on several feature implementations and bug fixes for Firefox, especially around Animation.
The implementation of Animation.prototype.overallProgress can be found below. (There is also a Japanese version of the article).
And here is the change regarding the behavior of CommitStyles endpoints.
I also worked on implementing interventions. For those asking "What is an intervention?", I recommend looking at the about:compat page in Firefox and browsing this wiki. Below is the link to the Phabricator patch.
I think it was also good (though honestly incredibly tough) that I was able to implement the CommitStyles behavior change in Chromium as well. Below is the link to Gerrit.
Next year, I want to work hard to implement larger features in Firefox.
I also want to aim for becoming a committer in Chromium.
Participating in Many Events
I had the opportunity to speak at various events.
Starting with chot Inc.'s event, Hardening, Sapporo Engineer Base, everyone's favorite Frontend Conference Hokkaido, and JSConf. I'm very grateful for this. I also got to do the alien thing, again 👽️
Also, participating in TPAC was a very blessed opportunity. I met people from Mozilla, people leading e-books in the publishing industry, and was able to hear various stories. It was really great to be featured on mozaic.fm.
It was also great to be able to organize a browser bug hunting event myself. I was happy that veterans like Azara, and super-legend hunters like masatokinugawa and Alesandro Ortiz spoke at the event!
Able to Do New Things
I think I became able to do various new things.
First, I can now buy a broken Game Boy and fix it by soldering, and I can do a certain amount of mysterious hardware hacking (which I won't write much about here). Including bug hunting, I feel like I've stepped into a world I once longed for. I think I've been truly blessed with great colleagues.
I feel like I've gotten used to the browser development flow, and it's deeply moving that I no longer get emotional just by sending a patch. A year ago, I would have been like "Whoa!" just by sending one.
Also, getting the opportunity to write articles and review books was really good. I'm incredibly happy about that.
Went to Many Overseas Conferences
I had many opportunities to go to overseas conferences. Google I/O, BlackHat, and DEFCON. TPAC was also a great opportunity to talk with people from overseas.
As a result, I feel that English is still a bit challenging for me. My first job was as a consultant at a strategy consulting firm, so I used English often, but chatting in a noisy place or having difficult technical discussions is still hard. It would be more fun if I could talk to various people, so I want to work hard on this in 2026.
Goals in 2026
- Implement a larger feature in Firefox.
- Increase contributions to Chromium and become a Committer.
- Find an exploitable bug in a JS engine. Hopefully, pwn it all the way (pwn2own!!).
- Live in Canada and Get a job.
- Complete to write a book.
What I Did
Finally, I'll list what I did this year and wrap it up 👶
January
- Wrote an article analyzing UaF in Chromium's UI components
- Reported a vulnerability for the first time (Reported on HackerOne. Still haven't heard back from the developer 😂)
- Created this blog (canalun.company)
Highlight: Analysis of UaF in Chromium's UI components
February
- Spoke at chot Inc.'s "Frontend Chotto Dekiru 2025". Talked about browser contributions (Slides).
- Reported a crash in Brave. $100
- Started fixing a bug in Firefox's onOpenOptionsPage on Android
Highlight: Brave Null Pointer Dereference by Crafted Response from AI Model
March
- Wrote an article about how Chromium renders text for Lambda Note
- Was able to report a UI Spoofing vulnerability in Edge
Highlight: Authored "How Chromium Renders Text (Kanaru Sato)"
April
- Reviewed Yusuke Endo's "How Type Systems Work".
- Held an event specialized in browser bug hunting
- Implemented and released the commitStyles behavior change in Firefox
Highlight: Hosted Browser Crash Club
May
- Participated in Google I/O
- Found and reported an interesting vulnerability. Undisclosed.
Highlight: Google I/O
June
- Conducted experiments on the security of AI-generated code and wrote an article
- Added two sections to the OWASP Browser Extension Vulnerabilities Cheat Sheet (DOM-Based data skimming and Prototype-Based data skimming).
- Wrote prototype security related post
Highlight: Prototype-based Data Skimming
July
- Implemented and released Animation.overallprogress in Firefox
- Reported an interesting vulnerability. Undisclosed.
- Spoke at Hardening Project about the security of code generated by AI models
- Analyzed 70 H1 cases and wrote about why XSS still happens
Highlight: Implemented and released Animation.overallprogress in Firefox
August
- Participated in BlackHat and DEFCON
- Became able to run Fuzzers on major browsers like Chrome and Firefox.
Highlight: Nailed "ZANKOKU" at Hacker Karaoke
September
- Started teaching Database and Web Programming courses as a part-time lecturer at Nihon University.
- Started hardware hacking using Flipper Zero, etc.
- Fixed a broken Game Boy I bought used by utilizing soldering
- Tried running Fuzzers on various things like the Ruby language.
- Spoke at Frontend Conference Hokkaido. Talked about the offense and defense of browser security (Slides).
Highlight: "What are Browsers Protecting the 'Frontend' From?"
October
Highlight: Implemented the behavior change done in Firefox in Chromium as well (Make commitStyles endpoint-inclusive)
November
- Found my first UaF bug in Chromium! $4000. Classic JS reentrancy via then getter.
- Participated in TPAC. Got featured on mozaic.fm.
- Spoke at JSConf about client-side prototype pollution (Slides). Was able to discuss with endo developers in the hallway.
Highlight: Tragedy or Hope in the Commons: The Race for JavaScript Prototype Override
December
- Implemented an intervention in Firefox. While writing Selenium test code, memories of writing playwright tests came back.
- Started solidifying the basics of C++.
- Started reading JS engine code.
Highlight: add a CSS webcompat intervention for tjoy.jp zoom-in on Android
Finally
Wishing everyone a great year next year! 👶