Profile Picture

Gabriele

Digregorio

also known as Io_no

I'm a Computer Engineer with a strong interest in cybersecurity and a PhD candidate at Politecnico di Milano. Currently, I'm also a Security Research Intern at IBM Research GmbH.
I play with the Tower of Hanoi and mhackeroni CTF teams, working on binary/rev categories and supporting misc/ML when needed. I am also a maintainer of the libdebug project.
Want to get in touch? Email me at gabriele.digregorio[at]polimi.it

CTFs

As a Player

mhackeroni logo

Member of mhackeroni since 2022.
Winners of Hack-A-Sat 4, the world's first CTF in space by the Air Force Research Laboratory.
Participated in DEF CON 31, 32, and 33 Finals.

Visit mhackeroni
Tower of Hanoi logo

Member of Tower of Hanoi since 2021.
Team treasurer since 2024.

Visit Tower of Hanoi

As an Organizer

Ctrl+Space logo

With mhackeroni, co-organizer of Ctrl+Space CTF with challenges running on satellites orbiting Earth, in collaboration with ESA and D-Orbit.
The finals were hosted in person at ESA's ESTEC during the 3S Conference.

Visit Ctrl+Space
ToH CTF logo

With Tower of Hanoi, co-organizer of ToH CTF 2025.

Visit ToH CTF

libdebug

libdebug logo

Maintainer of libdebug, an open-source Python library to debug binary executables, your own way.

Visit libdebug

Bug Hunting

So far, I've found vulnerabilities in Keras, Google Messages (on Wear OS), Android, skops, and Redis, which I reported through responsible disclosure to the respective vendors. Some were severe enough to earn bounties and get tracked as public CVE advisories.

My findings have also been picked up by media such as Forbes, Android Authority, and Android Police.

Curious about my bug hunting? I've published some of the reports I can ethically make public on GitHub.

View Bug Reports

Writeups

Vulnerability
CVE-2025-12080 - Intent Abuse in Google Messages for Wear OS for Silent Message Sending
23 October 2025

CVE-2025-12080, which I discovered in March 2025 and for which I was later awarded a bounty by the Google Mobile VRP.
Vulnerability CTF
CVE-2025-9905 - Arbitrary Code Execution on Keras (once again) via Legacy Files
23 October 2025

CVE-2025-9905, which I discovered in June 2025. Exploiting this vulnerability was also the intended solution to the Intended Behaviour challenge I authored for ToH CTF 2025.
Vulnerability CTF
CVE-2025-1550 - Arbitrary Code Execution on Keras
20 July 2025

CVE-2025-1550, which I discovered at the end of 2024 and for which I was later awarded a bounty by the Google OSS VRP. Exploiting this vulnerability was also the intended solution to the Unintended Behaviour challenge I authored for ToH CTF 2025.
Vulnerability
Don't Trust the Open Link Button in Android Notifications
11 June 2025

Certain characters can cause a mismatch between the link shown in an Android notification and the one opened via the 'Open link' button, potentially tricking users into phishing sites or triggering deep links.
CTF
Black-magic - HKCERT Quals 2024
10 November 2024

A .pyc challenge with a touch of non-determinism due to the use of __built­in_un­reach­able() in CPython implementation.

Selected Publications

When Secure Isn't: Assessing the Security of Machine Learning Model Sharing
2025 - Preprint

G. Digregorio, M. Di Gennaro, S. Zanero, S. Longari, and M. Carminati
Poster: libdebug, Build Your Own Debugger for a Better (Hello) World
2024 - CCS

G. Digregorio, R. A. Bertolini, F. Panebianco, and M. Polino
Tarallo: Evading Behavioral Malware Detectors in the Problem Space
2024 - DIMVA

G. Digregorio, S. Maccarrone, M. D'Onghia, L. Gallo, M. Carminati, M. Polino, and S. Zanero
Evaluating the Impact of Privacy-Preserving Federated Learning on CAN Intrusion Detection
2024 - IEEE VTC

G. Digregorio, E. Cainazzo, S. Longari, M. Carminati, and S. Zanero
View Google Scholar
CV