It seems that he has shut down most of his websites hosting copycat content, that’s good news. Yes, even the one with copyright message replaced by “See you in court.” However, he has set up a new fake company website and a Twitter account for it. 🙄
The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there). #XSS #infosec #BugBounty
Don’t get me wrong, deepfakes are a concern. But apparently not big enough a concern yet that we need to worry about a mom manipulating videos in order to harass her daughter’s competition. Harassment with a real video is enough to get her indicted.
So whoever compromised the PHP source code repository did so by pushing via HTTPS with password-based auth. They had to guess usernames. Sounds like a password reuse issue: the password leaked elsewhere, so they didn’t know the matching username.
So apparently the leaked data of 533 million Facebook users came from a 2019 breach that wasn’t previously disclosed after all. Not just that, Facebook chose not to notify the users affected either. Yes, totally reasonable and responsible behavior, as you would expect.
Great blog post, explaining how linked list questions in job interviews had their time and place in the 80s. Also showing how the cargo culting likely happened which made them still popular today despite being largely pointless.
After loosing RSS feeds again in Thunderbird I got fed up and reported the bug. Looks like it has good chances to get fixed! https://bugzilla.mozilla.org/show_bug.cgi?id=1701414
Free Software Foundation Europe is severing its ties to FSF. Yes, at this stage it’s the only right decision.
For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account. #amazon #privacy
How did they end up with this? Just how? 😭
I keep looking for something making this considerably more advanced than the proxy modules I implemented for PfP (5 kB of code). Yes, somewhat pointless privilege checking – a trivial addition. Yes, publish/subscribe model for events – not a big deal either. Nothing there…
There are factories creating exactly one type of object. Superclasses with exactly one subclass. And lots of message serializers – one module for each type of message. Didn’t anybody think of generalizing message creation? But lots of pointless generalization here.
I’m still looking into Amazon Assistant code a bit, and the overengineering level of this whole thing is astonishing. The UBPClient library is 760 kB of code which are duplicated all over the place. Merely for communication between different frames.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.