Pinned post

I post about technical topics here, especially , , . My other account is for German-language non-technical stuff.

Is there such a thing as Persistent Universal XSS? Because I think I’ve found one…

Remember me writing about Custom Cursor extension exposing a massive attack surface? If you are one of their users, I sincerely recommend Cute Cursors. It does pretty much the same thing but without any of the downsides. User numbers should reflect that…

Finding a security issue in a currently disabled code branch is actually nice. It means that I can post my report as a public GitHub issue instead of tracking down the right contact.

Found out that always points to your Microsoft account’s avatar. This will do, reading out this image across domain boundaries allows deanonymizing website visitors.

Show thread

SVG images would work as well, maybe there are real-world websites putting sensitive data into those…

Show thread

Found a browser extension allowing to circumvent same-origin policy, but only for some images and CSS stylesheets. Now it would be great to illustrate the issue by attacking an actual website. What websites out there leak sensitive data via predictable image or CSS URLs?

Nice to see Mozilla having opened access on a bunch of my reports. This Firefox for Android bug was a particularly interesting finding: Universal XSS via pop-up prompts, CVE-2021-29953.

Every now and then my Windows VM tries to trick me into making Edge my standard browser and reminds me why I’m not coming back to Windows.

In the end I gave up and installed Signal in the Android emulator to create the account. Printed out the QR code so that I could show it to the webcam (orientation is important, just using a mirror didn’t work out).

Yes, Signal for desktop is still being neglected.

Show thread

But even if you (like me) waste considerable time to jump through all the hoops and activate your account regardless, your account ends up semi-broken: profile editing fails.

Show thread

Things got considerably worse in the past years. The process of setting up a standalone desktop version of got more complicated and is broken even in the development version where it is enabled. There is a pull request to fix this which itself became broken.

Show thread

Your regular reminder: when using Chrome, you are the product. Chrome is merely a vehicle to provide Google services with a competitive advantage.

This Twitter post cites court documents showing how Google leverages its browser to reliably track users, all while restricting tracking capabilities of competition.

Here is your regular reminder that text messages (SMS) are neither private nor secure. This company handles billions of messages, yet it only managed to detect a hack after five years and doesn’t bother to disclose the scope of the breach. (Via

So if some details get lost in the communication, or if they forget about the deadline – I don’t bother either. It’s not my job to remind them about fixing the vulnerability or pointing out remaining issues. I’ll just publish the details when the deadline arrives.

Show thread

I realized that I (somewhat subconsciously) changed my vulnerability communication. I think that I’ll keep it this way.

Most companies don’t bother keeping me in the loop, saying “thank you” or even merely confirming that they received the report.

Remember Keepa, the browser extension that essentially enrolls your computer into a botnet extracting Amazon data? New article looks at their security issues. Spoiler: they didn’t quite manage to keep that functionality to themselves.

“Somebody accidentally null-routes the domain that all of internal and external company services depend on” wasn’t a risk I ever considered until today…

Thinking about it, recovering from that when you have almost no means of communicating with each other is… hard.

Relaxing the default Content Security Policy in a browser extension is generally a bad idea, especially for an extension with access to each and every website. If you need proof, the Custom Cursor extension (6 million users) delivers.

Oh look, it’s Xiaomi once again. Anyone taking bets that they will shrug away this scandal as well without any meaningful changes?


> Phones sold in Europe by China's smartphone giant Xiaomi have "a built-in ability to detect and censor terms such as 'Free Tibet', ‘Long live Taiwan independence‘ or ‘democracy movement‘, Lithuania's state-run cybersecurity body said on Tuesday.

Results of my experiment reporting an Amazon XSS via Open Bug Bounty:

· Reported on 2021-03-08
· Automatically disclosed on 2021-06-06, still unpatched
· Actually fixed at some point before 2021-09-17

No idea whether Amazon even received the original report. Maybe they only noticed because someone started exploiting this vulnerability. So: no, not sure whether I want to do this again.

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.