Show more

Selecting a site got its own tab now, so it's visually different from choosing an alias for a site and should no longer confuse anybody.

The visible change: sync should now work with any server supporting remoteStorage protocol ( The bigger but rather hidden change: sync protocol requires even less trust in the storage provider now, no tampering with the data should succeed.

A big one: no more "Easy Passwords 1.x compatible password" here, weaker password generation is gone for good. If you still had any legacy passwords these will be converted to stored passwords now, same happens when importing backups with legacy passwords.

Previous screenshot shows a minor improvement: website name is a link now. Here is one more: you can copy the user name from the password menu. Oh, and you can navigate both the password list and the password menu with arrow keys:

I finally released : Pain-free Passwords 2.2.0! Get it here:

This is a major one, lots improvements here. The most noticeable one is the user interface, the tab strip on the left should make it much easier to navigate.

So , I don't have a recovery phone or any other options configured. Then why is changing my password only possible if I still happen to have that VM where I logged into Play Store using that account? How is this better than the recovery email I configured?

Sometimes the cause of a bug is really so obvious that you completely fail to realize how much you misjudged an issue...

And I just spent a ridiculous amount of time trying to prevent Vue from rerendering a component on property change because it results in loss of keyboard focus. Only to realize that keyboard focus is actually being transferred due to how "copy to clipboard" works...

And I forgot that Monday is a national holiday in Germany. So Tuesday it is...

And now the campaign seems to be down for all browsers, no more redirecting. I guess that they try to avoid their Chrome extensions being taken down as well.

Whoever is running this campaign noticed their extensions being blocklisted, the site will no longer redirect Firefox users - it looks like an actual quiz then. Chrome users are still being redirected to the site tricking them into installing extensions.

The code might rather execute (in the context of a website, not the extension) if a Wikipedia/Twitter link is hovered. Plus, the code would not be loading from a source that the developers control but rather Wikipedia/Twitter APIs. So rather tricky to exploit.

Looking more into this, I'm confused. Either I am missing something or Mozilla's Andreas Wagner jumped the shark claiming remote code execution here. These extensions certainly have a bunch of security issues, but code execution cannot be triggered by extension developers.

Wow, Mozilla compiled a list with 93 extensions being spread here. Also, they found them executing remote code - I guess that I wasn't thorough enough. New blocklist entry incoming...

Yes, dear Deutsche Telekom, my mother's maiden name is 78LWQaHgB883yxo. Thank you for making my account sooo much safer.

Found two more extensions being marketed in this way. One is called "Bild vergrößern", the other "Wiki-Infos." Supposedly, different publishers for all of them. All have been reported to Google.

Apparently, Google just changed their Web Store policy to forbid misleading marketing. Let's report this then...

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.