Show newer

I investigated the inner workings of 's Mint Browser and summarized it in a blog article. In short: it's as bad as the Forbes article suggests, and even worse. That browser is spyware, exfiltrating an enormous amount of data.

palant.info/2020/05/04/are-xia

Pro-tip when running a vulnerability disclosure program: rejecting mails with "malicious" attachments is not a good idea. You might also want to test this in advance and adjust configuration accordingly. Or at least provide an alternative way of uploading PoCs.

Long article doing a great job summing up typical issues with bug bounties, with @k8em0@twitter.com providing valuable insights. Particularly "buying researches silence" is the reason I barely do bug bounties any more.

csoonline.com/article/3535888/

Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.

palant.de/2020/03/09/yahoo-and

Want do use for a new project? Don't, it makes writing secure code unnecessarily complicated. In fact, you should look for a way to get rid of it in your old projects as well, or at least minimize its potential security impact.

palant.de/2020/03/02/psa-jquer

Vulnerability in McAfee WebAdvisor: RCE from any website through the browser extension into the application, all the way to administrator privileges. Updates are finally available and should be installed ASAP.

palant.de/2020/02/25/mcafee-we

Does anyone here have experience with Responsible Vulnerability Disclosure via openbugbounty.org/? Does it actually work? As in: do they manage to notify the right people to get the vulnerability fixed? What about non-website vulnerabilities?

I know that everybody is tired of me talking about but this time it's a beefy RCE vulnerability. Avast Secure Browser could be trivially taken over by any website, allowing even execution of arbitrary OS commands.

palant.de/2020/01/13/pwning-av

Did you expect "Avira Browser Safety" to offer you shopping deals? Me neither, and I also didn't expect this to be implemented by running remote code in the context of the extension or any website. @Avira

palant.de/2019/12/11/problemat

My first article on antivirus, detailing a bunch of issues rendering its web protection component ineffective. There will be more interesting findings to publish later.

palant.de/2019/12/02/rendering

There is a high-level overview for this article as well now, if you only want the important stuff about these Kaspersky vulnerabilities without the technical details.

palant.de/2019/11/27/more-kasp

Show thread

Found yet another big name browser extension using carelessly, resulting in an vulnerability. Can't we all just agree that jQuery is a security footgun and switch to modern frameworks?

Same as yesterday's blog post but as a high-level overview without the technical details: Kaspersky applications do not protect an internal API properly, allowing any website to send commands. Yes, websites can still do it, merely with less impact.

palant.de/2019/11/26/internal-

I'll publish two blog posts on Kaspersky vulnerabilities this week, first one is now up. Here I demonstrate hijacking communication channels that the "Web Protect" component uses to communicate with the antivirus application.

palant.de/2019/11/25/kaspersky

Ok, I'm in - arbitrary website executing code in the background page of the extension and getting access to all these privileges. Time to notify the vendor...

Show thread

Looking into and they demonstrate that solutions breaking up HTTPS connections don't have to take over the invalid certificate page. So no security issues like the ones seen in software.

palant.de/2019/08/19/kaspersky

Tavis Ormandy considers LastPass to be the best you can get as far as online password managers go. His experience is clearly different from mine, but if that's true, we are all screwed and there is no product which can be recommended.

twitter.com/taviso/status/1167

Wrote an article on three vulnerabilities introduced by Internet Security - a very typical scenario for antivirus vendors who will break up secure HTTPS connections in order to inspect them.

palant.de/2019/08/19/kaspersky

I'm having a discussion with a vendor, maybe you can help me out. What's the goal of a security advisory?

I tried producing some useful instructions for less experienced people to recognize flaws in password managers. Let me know whether it worked!

palant.de/2019/08/12/recognizi

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.