Remember me writing about Custom Cursor extension exposing a massive attack surface? If you are one of their users, I sincerely recommend Cute Cursors. It does pretty much the same thing but without any of the downsides. User numbers should reflect that…
Found out that https://storage.live.com/mydata/myprofile/expressionprofile/profilephoto:Win8Static/me always points to your Microsoft account’s avatar. This will do, reading out this image across domain boundaries allows deanonymizing website visitors.
SVG images would work as well, maybe there are real-world websites putting sensitive data into those…
Nice to see Mozilla having opened access on a bunch of my reports. This Firefox for Android bug was a particularly interesting finding: Universal XSS via pop-up prompts, CVE-2021-29953.
In the end I gave up and installed Signal in the Android emulator to create the account. Printed out the QR code so that I could show it to the webcam (orientation is important, just using a mirror didn’t work out).
Yes, Signal for desktop is still being neglected.
But even if you (like me) waste considerable time to jump through all the hoops and activate your account regardless, your account ends up semi-broken: profile editing fails.
Your regular reminder: when using Chrome, you are the product. Chrome is merely a vehicle to provide Google services with a competitive advantage.
This Twitter post cites court documents showing how Google leverages its browser to reliably track users, all while restricting tracking capabilities of competition.
Here is your regular reminder that text messages (SMS) are neither private nor secure. This company handles billions of messages, yet it only managed to detect a hack after five years and doesn’t bother to disclose the scope of the breach. (Via @email@example.com)
So if some details get lost in the communication, or if they forget about the deadline – I don’t bother either. It’s not my job to remind them about fixing the vulnerability or pointing out remaining issues. I’ll just publish the details when the deadline arrives.
Remember Keepa, the browser extension that essentially enrolls your computer into a botnet extracting Amazon data? New article looks at their security issues. Spoiler: they didn’t quite manage to keep that functionality to themselves. #infosec #security
Relaxing the default Content Security Policy in a browser extension is generally a bad idea, especially for an extension with access to each and every website. If you need proof, the Custom Cursor extension (6 million users) delivers. #infosec #security
Oh look, it’s Xiaomi once again. Anyone taking bets that they will shrug away this scandal as well without any meaningful changes?
> Phones sold in Europe by China's smartphone giant Xiaomi have "a built-in ability to detect and censor terms such as 'Free Tibet', ‘Long live Taiwan independence‘ or ‘democracy movement‘, Lithuania's state-run cybersecurity body said on Tuesday.
Results of my experiment reporting an Amazon XSS via Open Bug Bounty:
· Reported on 2021-03-08
· Automatically disclosed on 2021-06-06, still unpatched
· Actually fixed at some point before 2021-09-17
No idea whether Amazon even received the original report. Maybe they only noticed because someone started exploiting this vulnerability. So: no, not sure whether I want to do this again.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.