Yellow Flag 😷 @WPalant@infosec.exchange

I’ve been subscribed to Brian Krebs’ blog for twelve years (started during his time at The Washington Post), but I guess it’s time to let go. Whatever important info he might have, it will show up elsewhere as well. His understanding of ethics seems more and more questionable.

RT @LitMoose@twitter.com:

> Thank you.
> Please don't feed the reporters who will stomp all over intel/jeopardize sources for their own gain.
> I can't stand Krebs.

https://twitter.com/LitMoose/status/1321601870679416832

Hey #Feedly, don’t you want to start using Referrer Policy on your website? Currently, when your users click a link you will typically leak their user ID and some info about how they organize their feeds via the Referer header. #privacy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

“Surprise” of the day: if you add a security.txt file to your website, the only “people” to notice will be spam bots. 😢

TIL that some developers will implement their own heavily #React-inspired framework on top of #jQuery, with all the security benefits conveniently removed. Oh my eyes…

“Edit (2020-10-28): As @hfiguiere@twitter.com pointed out, extensions acquire this Verified badge by paying for the review. All the more interesting to learn what kind of review has been paid here.”

@calculsoberic There is an RSS feed under https://palant.info/rss.xml. If you don’t have a way to subscribe to RSS, there are some RSS to email services around. A search gives me https://blogtrottr.com/ and https://feedrabbit.com/ as top results (mind you, I don’t know either of them).

@calculsoberic Theoretically, most of what I write there is disallowed on Mozilla Add-ons and they generally do a fairly good job keeping such extensions out. And what’s not disallowed, has to be mentioned in the add-on description/privacy policy. However, as this case once again demonstrates – Mozilla isn’t perfect either…

@calculsoberic Yes, there certainly are more extensions like this. But this one claims to have 17 million users, a claim that matches reported numbers in Mozilla Add-ons and Chrome Web Store…

“So it’s very surprising that the #Honey browser extension in its current form is not merely allowed on #Mozilla Add-ons but also marked as Verified. I wonder what kind of review process this extension got that none of the remote code execution mechanisms have been detected.”

“In the end, I found that the Honey browser extension gives its server very far reaching privileges, but I did not find any evidence of these privileges being misused. So is it all fine and nothing to worry about? Unfortunately, it’s not that easy.” #Honey

“On a side note, I couldn’t fail to notice one more interesting feature not mentioned in the privacy policy. Honey tracks ad blocker usage, and it will even re-run certain tracking requests from the extension if blocked by an ad blocker. So much for your privacy choices.” #Honey

“… this allows it to load any script from PayPal at will. These scripts will be able to do anything that the extension can do: read or change website cookies, track the user’s browsing in arbitrary ways, inject code into websites or even modify server responses.” #Honey

“And so the Honey extension also has [obfuscated JavaScript] VIM code that will run in the context of the extension’s background page. It seems that the purpose of this code is extracting user identifiers from various advertising cookies.” #Honey

“So here is a mechanism, providing the server with a simple way to run arbitrary JavaScript code on any website it likes, immediately after the page loads and with sufficient obfuscation that nobody will notice anything odd. Mission accomplished?” #Honey

“This time, there is no point decoding the base64-encoded data: the result will be binary garbage. As it turns out, the data here has been encrypted using AES, with the start of the string serving as the key.” #Honey

“Are you saying document.querySelector()? No, guess again. Is anybody saying jQuery? Yes, of course it is using jQuery for extension code as well! And that means that every selector could be potentially booby-trapped.” #Honey

“Why did they even bother with this complicated approach? Beats me. I can only imagine that they had trouble with shops using CSP in a way that prohibited execution of arbitrary scripts. So they decided to run the scripts outside the browser where CSP couldn’t stop them.” #Honey

“So is this some outdated functionality that is no longer in use and that nobody bothered removing yet? Very likely. Yet it could jump to life any time to collect more detailed information about your browsing habits.” #Honey #privacy

“So that’s where this Honey privacy statement is clearly wrong: while the data collected doesn’t contain your email address, Honey makes sure to associate it with your account among other things. And the account is tied to your email address.” #Honey #privacy

I did not expect the #Honey browser extension to provide great privacy. Still, finding four (!) different mechanisms allowing the Honey server to run arbitrary code on any website exceeded my expectations by far. It even uses AES for obfuscation.

https://palant.info/2020/10/28/what-would-you-risk-for-free-honey/