Show newer

How do developers of anti-fingerprinting solutions cope with impostor syndrome? It’s close to impossible to tell whether their solution is working or making matters worse.

This is what my stats for an article look like immediately after I post it. Hi 346 Fediverse servers, I love you too. 😂

Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server.

palant.info/2021/03/15/duckduc

So if you set up an Android emulator and sign into a Google account to use the Play Store, Google will later not let you change the recovery email on that account. It will demand a one-time code from that emulator (that you already scrapped) despite 2FA not being enabled. 🤦‍♂️

But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.

Show thread

Watching this talk by Amy Burnett I realized that I never really considered the abuse potential of service workers. I’ve seen plenty of JavaScript files reflecting query parameters, typically JSONP endpoints. And I considered these non-exploitable.

youtube.com/watch?v=a0yPYpmUpI

Easiest way to spot a company not giving a damn about security: application updates try to trick you into installing unwanted “extras.”

Yes, I have applications in my Windows VM that I should probably get rid of. Foxit Reader used to be pretty good, a long time ago…

Whether and when PoC code for vulnerabilities should be published is a complicated topic, many different aspects playing a role here. Whether Microsoft should use their privileged access to GitHub in order to remove PoC code for their product is simple on the other hand: no.

vice.com/en/article/n7vpaz/res

I now have Slack open in one tab, Mattermost in another. This feels like a game: “find 10 differences.”

Hard to believe but in Mozilla browser (pre-Firefox) a webpage could request UniversalXPConnect privilege. If the user accepted, it got full access to their system. How was accepting this request ever a good idea, even with trusted websites?

Show thread

I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.

Show thread

At least that’s the hope. I mean, there are lots of security researchers, there is antivirus software. A custom Chrome build distributed to only few people will hopefully stick out and be discovered. And Google doesn’t want the resulting backlash.

Show thread

Given the amount of damage malicious code in an application can do (and occasionally does), this is in fact surprising. Do people really trust e.g. Google that much? Probably not. But outright malicious code in Chrome is likely to be discovered, which makes it too risky.

Show thread

Interesting question from the discussion around my latest article: why won’t we trust websites with access that we grant to any locally install application? And I think that this is really about how we manage to trust local applications.

Dealing with Hacker News is always huge “fun.” Somebody skims the introduction, decides that an article is clickbait and immediately comments. I point out that he got it wrong and get downvoted. 🙄

It’s as if their entire bug bounty program is a means to restrict the information flow rather than address security issues. Since they won’t pay anyways, I am reporting issues via openbugbounty.org/ now. At least this way they will be disclosed.

Show thread

Amazon’s behavior wrt their bug bounty program is weird. They limited the scope to only specific amazon[.]com subdomains, even though compromise on any subdomain affects the entire domain. And they won’t disclose any reports.

Amazon Assistant extension turned out to be designed in a very “special” way: all of its logic is located on Amazon web servers. This gives Amazon access to a very wide range of information in browsers of extension’s users.

palant.info/2021/03/08/how-ama

Ok, I’m proofreading the article, should publish it shortly. It got really long once again…

Show thread

Then again, I’m not sure that I will be done on Monday. This is even bigger than I thought originally. 🙄

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.