Yellow Flag @WPalant@infosec.exchange
- Website
- https://palant.info/
- https://twitter.com/WPalant
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Joined Aug 2018
I changed the approach used by my js-analysis framework to generate more memorable random variable names. I think it works. 🤪
TIL that the Google Translate browser extension released by Google in year 2022 relaxes its script Content Security Policy in order to load data from the Google Translate host via JSONP. 🤯
Every time I send in a 1500 words vulnerability report, I sort of expect a response like this one. Then again, if I keep it short chances are they won’t get the issue or impact. Or won’t know what to do with it. 😢
Found it, both the original (Russian game from 1989, runnable in an MSX emulator) and a Windows remake with worse (!) visuals. Screenshot shows the original.
Somebody left an off-topic comment on my blog. I wondered whether I should just delete it silently or notify the author. Opted for the latter and received the reply below.
Yes, I should really disable comments after a year. No need to encourage people writing „free content.“
And sometimes it’s not the end of the story. There is another massive “visitor” spike at 2 AM. Turns out, that’s another 800 Fediverse servers because @nolan posted a link to this article. And he has a larger followership than me, meaning more Fediverse servers who need to fetch metadata. 😀
This is what my stats for an article look like immediately after I post it. Hi 346 Fediverse servers, I love you too. 😂
I’ve looked through the available info and everything adds up. Yes, it seems that activists managed to archive at least 30TB of #Parler data. It’s now safe to use the past tense when speaking about Parler. Even ignoring the technical difficulties, there is no coming back from that.
Hi #Twitter, this “browser” is the current Thunderbird release, a mail and RSS client. Its capabilities are no different from Firefox 78. How about you detect Gecko rather than detecting Firefox?
Better yet, do feature detection instead of UA sniffing: https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent
Wonderful how #Exim team fully recognizes that the use_shell option is a massive security footgun. So they warn users. In a separate document, not linked from the option’s documentation. Never mind not explaining which characters are ok, so users are bound to get it wrong.
In case you were wondering when we will notice the effects of #Mozilla layoffs…
As I’m upgrading to Ubuntu 20.10, I’m left wondering how bugs like this one make it into the final release. Probably because everybody upgrading to the beta thought: “Oh, they’ll certainly update that before the release”?
“And so the Honey extension also has [obfuscated JavaScript] VIM code that will run in the context of the extension’s background page. It seems that the purpose of this code is extracting user identifiers from various advertising cookies.” #Honey
“This time, there is no point decoding the base64-encoded data: the result will be binary garbage. As it turns out, the data here has been encrypted using AES, with the start of the string serving as the key.” #Honey
“Are you saying document.querySelector()? No, guess again. Is anybody saying jQuery? Yes, of course it is using jQuery for extension code as well! And that means that every selector could be potentially booby-trapped.” #Honey
“Why did they even bother with this complicated approach? Beats me. I can only imagine that they had trouble with shops using CSP in a way that prohibited execution of arbitrary scripts. So they decided to run the scripts outside the browser where CSP couldn’t stop them.” #Honey
- Website
- https://palant.info/
- https://twitter.com/WPalant
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Joined Aug 2018
