Show newer

After ruling out Postfix as the potential target here, I found that Exim configuration has a use_shell setting for the pipe transport. That seems to be the vulnerable configuration here, and there is an older advisory on it (2013).

Show thread

Found in my mail server logs:

MAIL FROM:<;for P in f W K 0 r S 5 T A u p 4 X E Q;do read;done;sh;exit 0;>

I guess that’s a command line injection attempt, aiming at mail servers passing sender address to a spam filter application without escaping. It installs crypto miners.

The “Escaping the Crushing Despair” section is a painful read, it describes how much of the C++ community space became toxic beyond repair. Unfortunately, this kind of development isn’t uncommon in our industry. We all need to learn how to prevent this from happening elsewhere.

There is also a comment on Mastodon explaining the logic behind this: if it’s a vulnerability that companies should patch ASAP, assigning a identifier improves the chances considerably.

Show thread

The poll has ended. With six votes across Twitter and Mastodon the results are hardly representative. But it seems that a identifier for everything is a rare approach (1 vote). Most respondents create one only for important findings (3 votes) or never (2 votes).

Show thread

For reference, my summary of the privacy issues with their browsers. To my knowledge, this is still the state of affairs here.

Show thread

Those who followed the development around browsers will not be very surprised but their payment app doesn’t care about users’ privacy either. And it just transmits all data unencrypted (!) to servers in Hong Kong.

And then I spent some time making an app with Cordova that would display a weather forecast, upcoming appointments and missed phone calls. As to the hardware, I only had to shut down unused services just in case these decide to access the web.

Show thread

My line of thinking some years ago was: “I have that Raspberry Pi, I should do something with it. It will need WiFi and a display module. Oh, there are tablets below 40 € with quite usable displays. Wait, why did I need Raspberry Pi again?”

Show thread

It’s a weird state of affairs that if you want to build something by far the cheapest decent display module is an outdated and/or refurbished Android tablet. And once you realize that, the “build” part is over – all you need now is the right software.

Adding that privacy-friendly search feature to my website, was it worth it? Well, it seems that roughly 0.1% of my website visitors clicked the “Search” button which resulted in a search index download. Sorry but if justifying work on this in a company would have been hard…

Just in case anybody is wondering: yes, is of course suggesting that I subscribe to “Dogs.” If Twitter Analytics are to be believed, dogs are the single unifying factor of all humanity, with at least 97% of every audience being interested in them. No, cats are not…

Show thread

Do I see this correctly: after an utter failure to deduce users’ interests from extremely rich data, is now asking users to validate their interests by subscribing to topics? Yes, that’s certainly one way to deal with this…

It deeply satisfies me to see search requests like “is miui spyware” in my logs. So people actually want to know, and they find my article. I hope that quite a few choose not to buy hardware then.

Those of you who report security vulnerabilities, do you also request identifiers for them? Maybe also explain in comments how the overhead is worth it for you. I’m still undecided on the topic.

I mean, already sending a message to the top frame of your tab is awkward if you have to proxy it through the background page. But sending a message to your parent/child frame is a nightmare to do correctly. This needs better extension APIs to stop people from making mistakes…

Show thread

Using window.postMessage() for communication between extension content scripts is a huge red flag. It almost universally causes security issues and/or information leakage. Yet I cannot really blame developers for taking this route, with the secure alternatives being too complex.

It should be used by every anti-fingerprinting extension out there, but none of them do. I write advise for anti-fingerprinting extensions, yet I don’t realize that this functionality still exists. There is no Chromium issue asking to add this feature. Nobody knows…

Show thread

The sad thing about : they have decades of experience allowing powerful extensions. So when they switch to the inferior Chrome extension system, they rescue some gems over. Like exportFunction(): And nobody notices.

Wow, the SSL certificate for . com expired. Yes, these things still happen…

Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.