I only noticed this page as a fake because of the language being wrong. And using Chrome, accessing the same page results in a convincingly looking Chrome error page. I’d expect some malicious activity here, but there doesn’t seem to be any scripts whatsoever.
That’s a weird one – the below is an exact copy of Firefox’ about:neterror page, but it’s apparently being served by #Cloudflare (?) as a 404 page. It’s even using browser’s own scripts and styles which is rather dangerous since these could change. I fail to see the point…
Being a senior engineer, I spend most of my time searching the web for a solution. Part of being experienced is knowing just how much you don’t know. If you are lucky, you remember coming across a problem before, which gives you a rough direction to guide the search.
> It would be cool if more senior engineers would admit that they don’t have everything all figured out so the junior folks didn’t have such unrealistic expectations.
#infosec people might find the concept familiar:
> “Swiss cheese model” for #COVID19 prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋
A few days ago some CEO announced that making “killing Black people is wrong” an official company stance would go too far, so he’d rather ban all talking about “politics” at work. Some startups happily joined in already. And that’s why the tech industry can’t have nice things…
The thought is funny: a vendor getting into trouble because they store passwords as plain text and run antivirus on the machine. But the amount of damage this could do is scary. If the antivirus chooses to remove the file, this could render the entire database inoperable.
Now I’m actually tempted to add an option to my PfP password manager that would append “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*” to generated passwords…
Any search queries made via that app were stored and associated with your device ID, GPS location and various other pieces of data. The user’s name wasn’t there, but this kind of data often allows deducing it as has been demonstrated before. Your searches tell a lot about you…
The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data? #privacy #Microsoft #Bing #infosec
Just in case you wondered how Twitter decides which part of the picture to show: it centers on faces. That’s white faces of course, and preferably male. Have a look at the full images here and at some other attempts in the thread. #AI
I’ve actually seen a very similar approach from #Kaspersky before – rather than fixing the issue, they blacklisted a string from my proof of concept. Minimal change and the exploit was working again. https://palant.info/2019/11/27/assorted-kaspersky-vulnerabilities/#is-this-fixed
Update: today #Giggle’s @email@example.com published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?
Yes, the vulnerability disclosure process is often a messy affair. But this mess here shadows everything I've seen so far.
The bad news: @firstname.lastname@example.org threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?
Software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.