@17 I mean, think about it: with our receptors for three wavelength it’s 2³ = 8 possible combinations (black included). With receptors for four wavelengths the number of possible combinations doubles.

@17 Getting out of the ocean was definitely a mistake. Fish can see four colors, including an UV wavelength invisible to us.

@17 Yes, well-designed JSONP endpoints restrict the characters allowed here. Then again, blacklist approaches are often incomplete and can still be circumvented. I don’t know why they don’t just use /^\w+$/.

@17 Many servers still have JSONP endpoints. And very often these won’t validate the callback name in any way. So you can inject arbitrary JS code via the callback name into a script served from a whitelisted origin.

@17 More importantly: many servers remember jsonp. Which is occasionally very useful when looking for security issues, e.g. for CSP circumvention.

Here is your regular reminder that text messages (SMS) are neither private nor secure. This company handles billions of messages, yet it only managed to detect a hack after five years and doesn’t bother to disclose the scope of the breach. (Via @evacide@twitter.com)

vice.com/en/article/z3xpm8/com

So if some details get lost in the communication, or if they forget about the deadline – I don’t bother either. It’s not my job to remind them about fixing the vulnerability or pointing out remaining issues. I’ll just publish the details when the deadline arrives.

Show thread

I realized that I (somewhat subconsciously) changed my vulnerability communication. I think that I’ll keep it this way.

Most companies don’t bother keeping me in the loop, saying “thank you” or even merely confirming that they received the report.

Remember Keepa, the browser extension that essentially enrolls your computer into a botnet extracting Amazon data? New article looks at their security issues. Spoiler: they didn’t quite manage to keep that functionality to themselves.

palant.info/2021/10/05/abusing

@17 Yes, I must say that messing up BGP is pretty much the worst possible scenario. It’s hard to imagine another trivial change that would do so much damage and would be so hard to repair. Pretty much like getting stuck sideways in the Suez Canal. What a mess…

The good news: I doubt that they let interns touch BGP. Whoever did this is a pro. They should have no problem finding a new job at a better company.

“Somebody accidentally null-routes the domain that all of internal and external company services depend on” wasn’t a risk I ever considered until today…

Thinking about it, recovering from that when you have almost no means of communicating with each other is… hard.

Relaxing the default Content Security Policy in a browser extension is generally a bad idea, especially for an extension with access to each and every website. If you need proof, the Custom Cursor extension (6 million users) delivers.

palant.info/2021/09/28/breakin

Oh look, it’s Xiaomi once again. Anyone taking bets that they will shrug away this scandal as well without any meaningful changes?

RT @hatr@twitter.com:

> Phones sold in Europe by China's smartphone giant Xiaomi have "a built-in ability to detect and censor terms such as 'Free Tibet', ‘Long live Taiwan independence‘ or ‘democracy movement‘, Lithuania's state-run cybersecurity body said on Tuesday.

reuters.com/business/media-tel

Results of my experiment reporting an Amazon XSS via Open Bug Bounty:

· Reported on 2021-03-08
· Automatically disclosed on 2021-06-06, still unpatched
· Actually fixed at some point before 2021-09-17

No idea whether Amazon even received the original report. Maybe they only noticed because someone started exploiting this vulnerability. So: no, not sure whether I want to do this again.

@17 And later they will say: “What, bad things happened? Didn’t we tell you to rotate the keys? Your fault.”

And Travis CI joins the ranks of companies that cannot be trusted with security. Not because they have issues (who doesn’t) but because they cannot recognize and properly handle a critical vulnerability report.

The details are in this Twitter thread: twitter.com/peter_szilagyi/sta

Biggest trouble with ancient hardware is that it has an equally ancient SSL implementation. Turns out, the most reliable way of “fixing” this is getting recent curl via a Cordova plugin and bypassing the system’s implementation for HTTPS requests completely.

Show thread

Great thread by Matthew Green here. TL;DR: NSA made Juniper add a backdoor to their routers. A presumably Chinese APT hacked Juniper and made the backdoor usable for themselves. Damage caused: still unknown. But politicians keep asking for encryption backdoors.

twitter.com/matthew_d_green/st

@jerry I somewhat doubt that this is really the case. After all, every single news website in Europe somehow managed to solve this issue. And they already have detection of European users in place, so they could implement whatever privacy-friendly but less monetizable alternative they find for Europeans only.

Three years after GDPR came into effect, there are still US news websites claiming they care so much about us Europeans that they will straight out lock us out rather than comply with our ridiculous data privacy laws. 🤡

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.