I recently posted about parser mismatch vulnerabilities, which I think are deeply underappreciated. But I didn't explain what to *do* about them!

So, my latest post discusses all of the techniques I know of for mitigating or even entirely preventing them:

brainonfire.net/blog/2022/04/2

I'd love to hear what people think!

Show thread

I absolutely love it when somebody takes my blog post and makes it much easier to understand while staying correct on the technical details. Thanks a lot @duckblog@twitter.com!

nakedsecurity.sophos.com/2022/

I’ve really dropped the ball recently, normally I’d communicate with the vendors prior to the publication deadline of a vulnerability. Recently I’ve been too preoccupied for that. Sadly, the result of the accidental experiment is: without nudging vendors indeed won’t do anything.

Wow, is in full damage control mode. Very disappointing.

They released an update today, two days after my blog post, finally restricting the attack surface to five subdomains. And they released a blog post on the topic. But don’t tell people that about the fix today. Instead, they claim to have fixed the issue back in February. And talk about “a series of hypothetical steps” instead of admitting that there was/is an issue.

Interestingly, someone already wondered whether Screencastify extension would be a privacy risk. So they asked on Stack Exchange. Almost three years later I could finally give them a proper answer. Too bad they deleted their account in the meantime.

security.stackexchange.com/a/2

Show thread

A day after the publication of this article Screencastify released an update to their extension. Could it be that they had a fix for the issues in the pipeline and released it now? Sorry, no. This update is about adjustments to pricing…

Show thread

Life achievements:

✅ Getting called “privacy guru” by a notable publication

Do actually popular Linux distributions exist where KDE is the main focus rather than a side story? I’m getting somewhat fed up with Kubuntu and thinking about switching…

Somehow I was certain that I published this article months ago. Sadly, Screencastify didn’t really use the extra time. Their extension is still a very dangerous toy, not quite validating who it provides with webcam or Google Drive access.

palant.info/2022/05/23/hijacki

Interesting how I started out using serde_json in with all custom Serializer and Deserializer implementations. Hey, I have historically grown serialization formats that are complicated to handle generically!

And now it’s almost no custom code at all…

And: done. Migrated to a Rust crate with far more sane code. While it required more manual work, there is no more weird cross-platform breakage.

Show thread

So this Rust crate is depending on this weird other crate…
Oh, it was written by someone with even less Rust understanding than me…
Oh my, it is handling command lines… Good thing this is only for tests.
Wait, the crate I’m actually using is written by the same person?

Sorry, I’m busy right now. I have to go find another Rust crate to use for my tests.

You all seem to be used to getting these. I barely ever did, must be doing something wrong. 😂

Show thread

Modern scams: a self-proclaimed “Research Haker” is apparently mass-scanning domains and reporting missing SPF records (which he confuses with DMARC) to the owners. He calls that a “security vulnerability” and expects a bug bounty for his “ethical” report.

Oh, and it was my second Stack Overflow question ever. Which even received an answer that addressed the issue.

stackoverflow.com/a/72090978/7

Show thread

I feel honored having hit an apparently very uncommon issue after merely a week of learning .

“There aren't many places outside of the Fn traits where we encounter HRTBs”

My code seems to be one of those places. 🥳

doc.rust-lang.org/nomicon/hrtb

It’s about time. There really is no valid use case for document.domain these days. I was certain that no modern web app would still use it. That’s before I found it being used by Adobe websites of course. And before they refused to get rid of it.

portswigger.net/daily-swig/dis

One thing few people actually realize: subtle breakage and security issues in OpenSSL cli are perfectly fine. 😈

“At the end of the day, OpenSSL is a *library*, not an end-user product, and enc(1) and friends are developer utilities and "demo" tools.”

mail-archive.com/openssl-users

Re: @IAmMandatory@twitter.com:

> I swear the openssl CLI was designed to waste eng time lmao

twitter.com/IAmMandatory/statu

I’m learning Rust by writing a command-line version of PfP. At 40 kB the code is somewhat complex already, and I’ve done several refactorings as I learn to use the language properly. But once it compiles the code just… works? Refreshing compared to C++.

github.com/palant/pfp-cli/

Even today, only one out of these six issues is fully resolved. The main issue had its scope reduced but is still present as well. That’s not how I usually publish. Unfortunately, I don’t think delaying this article and giving Adobe more time would have improved matters here.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.