“And so the Honey extension also has [obfuscated JavaScript] VIM code that will run in the context of the extension’s background page. It seems that the purpose of this code is extracting user identifiers from various advertising cookies.”

Show thread

“This time, there is no point decoding the base64-encoded data: the result will be binary garbage. As it turns out, the data here has been encrypted using AES, with the start of the string serving as the key.”

Show thread

“Are you saying document.querySelector()? No, guess again. Is anybody saying jQuery? Yes, of course it is using jQuery for extension code as well! And that means that every selector could be potentially booby-trapped.”

Show thread

“Why did they even bother with this complicated approach? Beats me. I can only imagine that they had trouble with shops using CSP in a way that prohibited execution of arbitrary scripts. So they decided to run the scripts outside the browser where CSP couldn’t stop them.”

Show thread

“So is this some outdated functionality that is no longer in use and that nobody bothered removing yet? Very likely. Yet it could jump to life any time to collect more detailed information about your browsing habits.”

Show thread

“So that’s where this Honey privacy statement is clearly wrong: while the data collected doesn’t contain your email address, Honey makes sure to associate it with your account among other things. And the account is tied to your email address.”

Show thread

That’s a weird one – the below is an exact copy of Firefox’ about:neterror page, but it’s apparently being served by (?) as a 404 page. It’s even using browser’s own scripts and styles which is rather dangerous since these could change. I fail to see the point…

Saw this gem in my logs, some bot masquerading as Googlebot but being really stupid about the referrer header, even leaving the anchor in the URL. The IP range indeed belongs to Google – Google Cloud Platform in fact. I guess I found my email scraper…

Update: today ’s @salltweets@twitter.com published a new statement. It’s a good first step, though for my taste it’s a bit thin on reflection of her own role in this mess. What’s still missing however is some statement on the privacy issues. Will these be fixed as well eventually?

Show thread

The bad news: @salltweets@twitter.com threatens to sue the researchers unless they let her approve the publication first. They kindly decline, as they should. And she shares that communication publicly as well, somehow assuming that it puts her in a better light?

Show thread

Somehow, the email communication still happened, the right person received the report and confirmed it. So a bit later today @salltweets@twitter.com started sharing the image below – without retracting any of her claims, somehow assuming that this reinforces her points.

Show thread

So today she proceeded by once again attacking the researchers and criticizing journalists who were asking her about the security vulnerability, restating that it didn't exist.

Show thread

And she claims that @DI_Security@twitter.com researchers publicly called her a transphobe. Not sure what this is about, I could only find a tweet by @daeken@twitter.com who appears to have no relation to the researchers. Judging by the way @salltweets@twitter.com responded she thinks otherwise.

Show thread

She says that they should have emailed technical department directly – yet from a brief look I cannot find the corresponding email address anywhere. From experience, emailing technical support about vulnerabilities is a bad idea. So Twitter is a valid way to approach a company.

Show thread

From that point on, things went only downhill. @salltweets vehemently denied the existence of any security issues, claiming that the whole thing is a harassment campaign – despite not having received any details. She sent them a DM but apparently blocked the account later.

Show thread

According to the researchers, they were first ignored when they attempted to report the issue. Eventually, they received a response but not the kind they hoped for. Not sure why they had to state their disagreement with @salltweets@twitter.com’s views, but it clearly rubbed her the wrong way.

Show thread

Several people from the Mozilla community felt that I’m building up a conspiracy theory here. That’s not the case, I’m actually quite certain that people are acting with good intentions. Unfortunately, that doesn’t automatically mean that we’ll be happy with the results. Updated my article:

Show thread

Ouch, typo in the image – 1.81 * 10^19, not 1.81 * 10^20. Also, it's 2.9 J/s, not 29. The end result is correct, I forgot to correct a mistake for intermediate steps. ☹️

Show thread

There are articles floating around on the company NDB about to produce battery-sized nuclear generators. As with any “revolutionary breakthrough” you might want to take a closer look. I did a rough calculation what kind of output a power source based on C-14 decay can produce.

I always wonder what kind of algorithm is at work analyzing data, taking great amounts of personal information and deducing all those bogus things about me. For most part, this is very intransparent, but at least with deduced languages it's slightly more obvious. 1/6

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.