I looked into the Ninja Cookie extension and found it really sloppy with security. I don’t know why after three months they only managed to address the biggest issue, they never wrote back after acknowledging my initial report. #infosec #xss
The Print Friendly & PDF browser extension allowed any website to completely take over the extension. Considerable attack surface remains, and Firefox version is still vulnerable (exploitation slightly more complicated there). #XSS #infosec #BugBounty
Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users. #privacy #infosec #Amazon
#infosec people might find the concept familiar:
> “Swiss cheese model” for #COVID19 prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋
The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data? #privacy #Microsoft #Bing #infosec
Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting #BullGuard to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline. #infosec #appsec
A #Bitdefender vulnerability with the unspectacular official title "Insufficient URL sanitization and validation in Safepay Browser" actually allowed any website to take over your computer - from any browser, thanks to Online Protection feature. #infosec
#Signal announced cloud-based backups a month ago, so I am late to the party. Still, I wanted to write down some notes on why 4 digit PINs aren't going to provide real security, no matter how hard one tries.
Thanks to @leip4Ier for bringing this topic to my attention.
I started recording accounts unfollowing me in November last year. One thing became clear however: a very common reason for an unfollow on Twitter is the account being deleted or suspended. I wonder whether that's usual or merely due to so many #infosec people following me...
I investigated the inner workings of #Xiaomi's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.
Pro-tip when running a vulnerability disclosure program: rejecting mails with "malicious" attachments is not a good idea. You might also want to test this in advance and adjust configuration accordingly. Or at least provide an alternative way of uploading PoCs. #infosec
Long article doing a great job summing up typical issues with bug bounties, with @email@example.com providing valuable insights. Particularly "buying researches silence" is the reason I barely do bug bounties any more. #BugBounty #infosec
Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.
Want do use #jQuery for a new project? Don't, it makes writing secure code unnecessarily complicated. In fact, you should look for a way to get rid of it in your old projects as well, or at least minimize its potential security impact. #infosec #xss
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.