Pinned toot

I post about technical topics here, especially , , . My other account social.tchncs.de/@WPalant is for German-language non-technical stuff.

Turns out, the Unwebpack script in my JS Analysis repo was only accepting and no bundles. No idea how I got these mixed up, but now both are supported, to some degree. Webpack output can vary a lot, I have only some scenarios covered.

github.com/palant/js-analysis/

I only noticed this page as a fake because of the language being wrong. And using Chrome, accessing the same page results in a convincingly looking Chrome error page. I’d expect some malicious activity here, but there doesn’t seem to be any scripts whatsoever.

Show thread

That’s a weird one – the below is an exact copy of Firefox’ about:neterror page, but it’s apparently being served by (?) as a 404 page. It’s even using browser’s own scripts and styles which is rather dangerous since these could change. I fail to see the point…

Being a senior engineer, I spend most of my time searching the web for a solution. Part of being experienced is knowing just how much you don’t know. If you are lucky, you remember coming across a problem before, which gives you a rough direction to guide the search.

RT @ashleymcnamara@twitter.com:

> It would be cool if more senior engineers would admit that they don’t have everything all figured out so the junior folks didn’t have such unrealistic expectations.

people might find the concept familiar:

> “Swiss cheese model” for prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋

twitter.com/jkwan_md/status/13

A few days ago some CEO announced that making “killing Black people is wrong” an official company stance would go too far, so he’d rather ban all talking about “politics” at work. Some startups happily joined in already. And that’s why the tech industry can’t have nice things…

twitter.com/jenistyping/status

The return of HTTP Response Splitting…

Redirects allowing header injection used to be easy to turn into . Browsers improved but loopholes are still found every now and then. So now it’s empty Location header on Chrome and Location: ws:// on Firefox.

gremwell.com/firefox-xss-302

Stumbled upon an email from a former employer titled „Reducing phone costs when in the office“ and listing 1225 employees in the To field. Yes, those were some times…

So when I order something in a -based shop, and they show the shipping address on the map in the order confirmation – they implicitly tell Maps which shops I buy at and when, and there is no opt out? How convenient…

The thought is funny: a vendor getting into trouble because they store passwords as plain text and run antivirus on the machine. But the amount of damage this could do is scary. If the antivirus chooses to remove the file, this could render the entire database inoperable.

Show thread

Now I’m actually tempted to add an option to my PfP password manager that would append “X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*” to generated passwords…

twitter.com/taviso/status/1309

I can only urge everybody to use search engines with a strong commitment to privacy. These are , and at the very least.

It is also advisable to restrict access to your location data to the few apps absolutely needing it.

Show thread

Any search queries made via that app were stored and associated with your device ID, GPS location and various other pieces of data. The user’s name wasn’t there, but this kind of data often allows deducing it as has been demonstrated before. Your searches tell a lot about you…

Show thread

The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data?

wizcase.com/blog/bing-leak-res

Just in case you wondered how Twitter decides which part of the picture to show: it centers on faces. That’s white faces of course, and preferably male. Have a look at the full images here and at some other attempts in the thread.

twitter.com/NotAFile/status/13

Saw this gem in my logs, some bot masquerading as Googlebot but being really stupid about the referrer header, even leaving the anchor in the URL. The IP range indeed belongs to Google – Google Cloud Platform in fact. I guess I found my email scraper…

I’ve actually seen a very similar approach from before – rather than fixing the issue, they blacklisted a string from my proof of concept. Minimal change and the exploit was working again. palant.info/2019/11/27/assorte

RT: twitter.com/jeffmcjunkin/statu

Update: today ’s @salltweets@twitter.com published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?

Show thread

Yes, the vulnerability disclosure process is often a messy affair. But this mess here shadows everything I've seen so far.

Show thread

The bad news: @salltweets@twitter.com threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?

Show thread
Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.