An interesting detail about the Teleparty extension: they did a pretty good job protecting against XSS vulnerabilities. Yet thwarted their efforts, falling back to a data source they didn’t expect.

For a while I was suspecting that Microsoft wouldn’t fix these flaws in their abandoned Skype extensions, but they finally did. The extension exposed your identity to websites despite essentially all of its functionality being broken.

There is lots of confusion about how someone got their hands on lots of master passwords, and the official LastPass statement is certainly not helping. I analyzed the possible scenarios to find out what most likely happened here.

Maybe I can distract some people from vulnerable Java libraries. This funny cat walking across your tabs? It somehow ended up having pretty much the most severe vulnerability possible for a browser extension.

Remember Keepa, the browser extension that essentially enrolls your computer into a botnet extracting Amazon data? New article looks at their security issues. Spoiler: they didn’t quite manage to keep that functionality to themselves.

Relaxing the default Content Security Policy in a browser extension is generally a bad idea, especially for an extension with access to each and every website. If you need proof, the Custom Cursor extension (6 million users) delivers.

Probably not surprising but the browser extension “Keepa – Amazon Price Tracker” is keeping close track on your shopping behavior. What makes this case particularly notable is its privacy policy which claims otherwise.

I looked into the Ninja Cookie extension and found it really sloppy with security. I don’t know why after three months they only managed to address the biggest issue, they never wrote back after acknowledging my initial report.

The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there).

Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server.

Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users.

Those of you who report security vulnerabilities, do you also request identifiers for them? Maybe also explain in comments how the overhead is worth it for you. I’m still undecided on the topic.

Oh, and by the way: can we make “thou shalt not sanitize HTML with regexps” a thing? It seems that not everybody heard that yet…

I realized today that some applications out there still use for non-legacy reasons. I really have no idea why anybody would do that in year 2020. It’s a very questionable decision security-wise, and it has no usability benefits either.

people might find the concept familiar:

> “Swiss cheese model” for prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋

The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data?

Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline.

You know, I rarely look into binary code, my reverse engineering skills being rudimentary. I mostly investigate the JavaScript code of applications. So I am amazed by the fact that I published three (!) RCE vulnerabilities in antivirus applications this year. 1/5

A vulnerability with the unspectacular official title "Insufficient URL sanitization and validation in Safepay Browser" actually allowed any website to take over your computer - from any browser, thanks to Online Protection feature.

When you do coordinated disclosure, do you also see companies pushing announcements of big scary vulnerabilities to a Friday? If so, how do you deal with it?

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.