Yellow Flag 😷 @WPalant@infosec.exchange

More details in the article here. Grindr gave location data to third parties which was detailed enough to be associated with a priest and to out him as gay. Yet they keep claiming that this is “infeasible from a technical standpoint.” Yeah, sure…

https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app

Huge surprise! Yes, claims that data is being “anonymized” are usually merely a lame excuse. Given enough data, de-anonymization will often be possible. And that’s especially the case for highly sensitive data like movement profiles.

https://www.washingtonpost.com/religion/2021/07/20/bishop-misconduct-resign-burrill/

@varx I took it down. I asked Mozilla to stop promoting it last year already.

I finally came around to disable the store listings for my Google Search link fix extension. I’ve had no time for it for quite a while already, but I meant to fix a few bugs first. Now I just accepted that this is not going to happen.

Their autoreply mentions the “new data protection policy.” Yes, it has been merely three years. Not nearly enough time to get accustomed with it of course.

#Spreadshirt notified me of their breach – and of the fact that they are violating #GDPR. The one order nine years ago was done without creating an account, so they have no legal ground for keeping my data through all these years. At least all the data they have is outdated.

I’ve also had my share of user complains about npm audit reporting hundreds of issues without impact to my project. I’ve also wasted time upgrading dependencies for no other reason but to silence these warnings. The issue is real, currently npm audit is clearly not helping.

https://overreacted.io/npm-audit-broken-by-design/

Saw a fancy hashing algorithm in a browser extension:

for (char in string)
hash = (hash << 5) - hash + char

Seems to be a port of Java’s hashing algorithm lifted from Stack Overflow. Luckily, this is dead code and not used anywhere. 😅

Yes, Kasperky Password Manager is ridiculously ill-designed. Given what I saw there three years ago, this vulnerability is not the least surprising.

https://donjon.ledger.com/kaspersky-password-manager/

As if developers copy&pasting code without properly considering licenses wasn’t a time bomb already, we now have AI happily doing it for you. Thanks Github!

https://twitter.com/mitsuhiko/status/1410886329924194309

If an extension lets anyone inject CSS into Google websites, how bad could this get? This isn’t XSS but still pretty bad. From displaying scams on trusted websites to exfiltrating data: lots of possibilities.

Very nice reporting experience for a change.

https://palant.info/2021/06/28/having-fun-with-css-injection-in-a-browser-extension/

Nice blog post by @LaxmanMuthiyah. All the details check out, it sounds like Apple had a massive vulnerability in their iCloud infrastructure and downplayed the severity. With passwords that are way too short, rate limiting is your only line of defense.

https://thezerohack.com/apple-vulnerability-bug-bounty

Verified that I didn’t make any mistakes in the formula, finally searched for an existing solution. Turned out that the hammer I had didn’t match the nail, and B-splines were the way to go. This just worked.

To my defense: I didn’t have internet when I was thinking this up. 🙈

Adventures reinventing the wheel: thought that I figured out how to display a smooth curve for given points. It *almost* worked, but with cubic Bézier curves I got lots of annoying steps in the graph. Quadratic Bézier curves on the other hand had the tendency to break out.

Wonderful. In this case, the manipulated device was merely used to deliver a malicious application. The badly written letter also triggered alarms. And now imagine the same thing done properly, without anything to tip off users.

https://www.bleepingcomputer.com/news/cryptocurrency/scammers-mail-fake-ledger-devices-to-steal-your-cryptocurrency/

TFW you get pinged on a decade old bug report of yours and the response is: “No, this bug report needs to stay open. The browser changed massively in pretty much any aspect, but this particular issue is still unsolved.”

Looks like something very uncommon is about to happen end of month: a vulnerability disclosure *before* the disclosure deadline! In fact, this particular vulnerability has been fixed within a day. Too bad that reporting a vulnerability usually doesn’t go as smoothly.

@xerz I remember that undercover agents need to commit crime without being charged with criminal offenses. Otherwise it would be trivial to blow their cover: anyone unwilling to commit a crime is an agent. So there must be some law covering this, and it probably applies here as well…

@xerz That’s what I thought as well. Then again, they didn’t know that they were working for a honeypot company. They thought that they were doing real crime. 🤷‍♂️

I wonder however: how do the people who did know the scheme go free of charges? Investigation or not, they willingly facilitated crimes. How far could they go without being charged with anything?

Yes, it’s easy to get all paranoid here. The big question is whether the paranoia is justified, and I don’t expect the answer to turn up any time soon. All we get is a suspicion that there might be more things going on than busting drug cartels.