Remember Keepa, the browser extension that essentially enrolls your computer into a botnet extracting Amazon data? New article looks at their security issues. Spoiler: they didn’t quite manage to keep that functionality to themselves. #infosec #security
Relaxing the default Content Security Policy in a browser extension is generally a bad idea, especially for an extension with access to each and every website. If you need proof, the Custom Cursor extension (6 million users) delivers. #infosec #security
I looked into the Ninja Cookie extension and found it really sloppy with security. I don’t know why after three months they only managed to address the biggest issue, they never wrote back after acknowledging my initial report. #infosec #xss
The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there). #XSS #infosec #BugBounty
Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users. #privacy #infosec #Amazon
#infosec people might find the concept familiar:
> “Swiss cheese model” for #COVID19 prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋
The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data? #privacy #Microsoft #Bing #infosec
Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting #BullGuard to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline. #infosec #appsec
A #Bitdefender vulnerability with the unspectacular official title "Insufficient URL sanitization and validation in Safepay Browser" actually allowed any website to take over your computer - from any browser, thanks to Online Protection feature. #infosec
#Signal announced cloud-based backups a month ago, so I am late to the party. Still, I wanted to write down some notes on why 4 digit PINs aren't going to provide real security, no matter how hard one tries.
Thanks to @leip4Ier for bringing this topic to my attention.
I started recording accounts unfollowing me in November last year. One thing became clear however: a very common reason for an unfollow on Twitter is the account being deleted or suspended. I wonder whether that's usual or merely due to so many #infosec people following me...
I investigated the inner workings of #Xiaomi's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.
Pro-tip when running a vulnerability disclosure program: rejecting mails with "malicious" attachments is not a good idea. You might also want to test this in advance and adjust configuration accordingly. Or at least provide an alternative way of uploading PoCs. #infosec
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.