Those of you who report security vulnerabilities, do you also request identifiers for them? Maybe also explain in comments how the overhead is worth it for you. I’m still undecided on the topic.

Oh, and by the way: can we make “thou shalt not sanitize HTML with regexps” a thing? It seems that not everybody heard that yet…

I realized today that some applications out there still use for non-legacy reasons. I really have no idea why anybody would do that in year 2020. It’s a very questionable decision security-wise, and it has no usability benefits either.

people might find the concept familiar:

> “Swiss cheese model” for prevention - no layer alone is sufficient, but ALL layers together will limit leaks through the holes! 🧀 😋

The data collected by the Microsoft Bing mobile app was apparently exposed to anybody looking. And while this is bad enough by itself, the question to ask is always: why was it necessary to collect such detailed data?

Publishing details of some BullGuard Antivirus and Secure Browser vulnerabilities. Contacting to report these was rather tough, but all is fixed now and I am good to publish - one week before 90 days deadline.

You know, I rarely look into binary code, my reverse engineering skills being rudimentary. I mostly investigate the JavaScript code of applications. So I am amazed by the fact that I published three (!) RCE vulnerabilities in antivirus applications this year. 1/5

A vulnerability with the unspectacular official title "Insufficient URL sanitization and validation in Safepay Browser" actually allowed any website to take over your computer - from any browser, thanks to Online Protection feature.

When you do coordinated disclosure, do you also see companies pushing announcements of big scary vulnerabilities to a Friday? If so, how do you deal with it?

announced cloud-based backups a month ago, so I am late to the party. Still, I wanted to write down some notes on why 4 digit PINs aren't going to provide real security, no matter how hard one tries.

Thanks to @leip4Ier for bringing this topic to my attention.

I started recording accounts unfollowing me in November last year. One thing became clear however: a very common reason for an unfollow on Twitter is the account being deleted or suspended. I wonder whether that's usual or merely due to so many people following me...

I investigated the inner workings of 's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.

Pro-tip when running a vulnerability disclosure program: rejecting mails with "malicious" attachments is not a good idea. You might also want to test this in advance and adjust configuration accordingly. Or at least provide an alternative way of uploading PoCs.

Long article doing a great job summing up typical issues with bug bounties, with providing valuable insights. Particularly "buying researches silence" is the reason I barely do bug bounties any more.

Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.

Want do use for a new project? Don't, it makes writing secure code unnecessarily complicated. In fact, you should look for a way to get rid of it in your old projects as well, or at least minimize its potential security impact.

Vulnerability in McAfee WebAdvisor: RCE from any website through the browser extension into the application, all the way to administrator privileges. Updates are finally available and should be installed ASAP.

Does anyone here have experience with Responsible Vulnerability Disclosure via Does it actually work? As in: do they manage to notify the right people to get the vulnerability fixed? What about non-website vulnerabilities?

I know that everybody is tired of me talking about but this time it's a beefy RCE vulnerability. Avast Secure Browser could be trivially taken over by any website, allowing even execution of arbitrary OS commands.

Did you expect "Avira Browser Safety" to offer you shopping deals? Me neither, and I also didn't expect this to be implemented by running remote code in the context of the extension or any website. @Avira

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.