I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.
At least that’s the hope. I mean, there are lots of security researchers, there is antivirus software. A custom Chrome build distributed to only few people will hopefully stick out and be discovered. And Google doesn’t want the resulting backlash.
Given the amount of damage malicious code in an application can do (and occasionally does), this is in fact surprising. Do people really trust e.g. Google that much? Probably not. But outright malicious code in Chrome is likely to be discovered, which makes it too risky.
Amazon’s behavior wrt their bug bounty program is weird. They limited the scope to only specific amazon[.]com subdomains, even though compromise on any subdomain affects the entire domain. And they won’t disclose any reports. #BugBounty
Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users. #privacy #infosec #Amazon
Ok, I’m proofreading the article, should publish it shortly. It got really long once again…
Then again, I’m not sure that I will be done on Monday. This is even bigger than I thought originally. 🙄
Oh, and a website ripping off the brand of a legitimate company and even linking to their TrustPilot reviews as if they were his. He is accepting only Bitcoin payments there, what a surprise.
Yes, I think that’s enough criminal energy. He had it coming…
Never mind posing as a book author who releases his new book piece by piece. But of course the content belongs to someone else’s well-established book.
But he seems to be really studying Cybersecurity and Information Assurance right now. Should he be able to get a job here?
He is running a large network of websites on stolen content, pretending to be an expert on everything and even impersonating a dead politician. He ripped off an entire website and replaced the copyright message with “See you in court”.
Maybe he deserves what’s coming to him?
3. You are more than welcome to do a deep dive into Y and Z. If you manage to prove badness, this is great and I’ll do my best to let people know. The more people investigate these issues, the better. Companies can only be held accountable if people are looking.
1. There is a difference between *suspecting* that somebody does bad things and actually proving it.
2. There are different gradations of “bad” and while Y and Z probably do bad things as well, it’s not the same as what X is doing.
My article on #Xiaomi browsers data collection is making the rounds again. Just a reminder, Xiaomi “addressed” the issue by introducing an obscure setting, so that users can theoretically opt out. If they realize what’s going on and make the connection. https://palant.info/2020/05/08/what-data-does-xiaomi-collect-about-you/
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.