Always a pleasant surprise when the browser prevents exploitation of a vulnerability I thought disastrous. So chrome.tabs.executeScript only accepts extension’s own files and no arbitrary URLs? Surprising, undocumented, but certainly a good choice.

I guess I mixed things up here. Looking through Mozilla’s code history, <iframe mozbrowser> used to have this effect but it was never available to regular web pages.

Show thread

Do I remember it incorrectly that the sandbox attribute on iframes used to make the frame think it were the top-level document? Or did this change at some point?

They *almost* got it secured. But there was this one jQuery quirk they failed to consider, probably didn’t even know existed. Sorry, that’s Remote Code Execution for you. 🤷‍♂️

The way this library tries to anticipate what you *might* have meant is a disaster.

Show thread

Friendly reminder: isn’t a good security choice.

Looking at a jQuery-based browser extension right now. The developer clearly made much effort to do it right. Almost no messing with HTML code, all values inserted escaped. ▶️

They decided to accept the reports via email after all, despite it not being their usual process. I guess I won’t add that snarky comment to the article to be written. That’s a good thing, I feel like I’m complaining too much already.

Show thread

Another big corp is “reviewing” a trivial privacy issue since December. So far they didn’t even manage to access the proof of concept page. I start suspecting that they are searching for someone who knows the product. Meanwhile the publication deadline is getting closer…

Oh, that’s why people list both their bug bounty program and email address in security.txt: so that, when contacted via email, they can respond with a request to resubmit via bug bounty program. 🤦‍♂️

Show thread

Ok, six vulnerability reports sent. Deadline is April 19, and I can move on now.

Show thread

But at least they have security.txt and a contact other than their bug bounty program. This will save me some time.

Show thread

I have the proof-of-concept exploits (including the one bypassing same-origin-policy) done, but filing reports on all the vulnerabilities I found in the process will take time. There have been plenty…

Show thread

Neat, they are using document.domain. So the attack surface just increased to encompass all of their web properties. *evil laugh*

Show thread

@17 I guess the heating unit is defect, so it attempts to dry by blowing cold air?

@17 But who doesn’t like rhetorical questions? Rhetorical question, I know. 😜

@Chaos_99 I’m not sure whether you are aware of the context here:

Given this context, it’s a massive difference whether we expect everyone to run their own server (unrealistic) or whether we merely want to make sure everyone has a choice of who they want to trust (far more realistic but still suboptimal if the promise was to get rid of such trust anchors).


@ondra I’d go with the more realistic “use regulation, financial incentives and whatever other measure works to keep competition alive, making sure there is a number of usable competing solutions including open source ones.” Not as ideal, but I just don’t see anyone put anywhere close to the amount of effort into a decentralized web as in democracies.

@ondra You yourself brought the perfect counterargument to that. Democratic countries put massive effort into educating the population. In addition, a number of control instances have been designed specifically to guard against a majority that will willingly hand the power to a dictator. And yet we’ve seen several democracies struggle or fail in recent years alone. Any concepts relying on people doing the “right” thing are fragile to impossible.

@ondra Let’s talk again once the benefits and inner workings of the distributed web are taught in school. With at least the same number of hours that democracy gets. 🙃

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.