Show newer

I’m writing a follow-up on Amazon Assistant, will hopefully be finished today. There is more to this story…

I keep looking for something making this considerably more advanced than the proxy modules I implemented for PfP (5 kB of code). Yes, somewhat pointless privilege checking – a trivial addition. Yes, publish/subscribe model for events – not a big deal either. Nothing there…

Show thread

There are factories creating exactly one type of object. Superclasses with exactly one subclass. And lots of message serializers – one module for each type of message. Didn’t anybody think of generalizing message creation? But lots of pointless generalization here.

Show thread

I’m still looking into Amazon Assistant code a bit, and the overengineering level of this whole thing is astonishing. The UBPClient library is 760 kB of code which are duplicated all over the place. Merely for communication between different frames.

One of the extensions managed to bring out five (5!) minor updates in the time, yet leave the vulnerable code completely unchanged. They have three weeks to go before disclosure, I should start writing the article…

Show thread

I still have two pending disclosures for critical browser extension vulnerabilities. One was reported more than two months ago, the other slightly less. Just checked, neither has been resolved yet. I guess they want to cut it close to the deadline. Sending reminders… 🙄

I love Wikipedia, there has never been more information available to anyone. But it is always good to remember what it does not show.

All of this sounds too familiar, and my name isn’t even too unusual for the German ear (no more unusual than some names German kids get). I was lucky and people started recognizing my name thanks to Klitschko. But I also know a girl who preferred going by a “simpler” name.

And sometimes it’s not the end of the story. There is another massive “visitor” spike at 2 AM. Turns out, that’s another 800 Fediverse servers because @nolan posted a link to this article. And he has a larger followership than me, meaning more Fediverse servers who need to fetch metadata. 😀

Show thread

How do developers of anti-fingerprinting solutions cope with impostor syndrome? It’s close to impossible to tell whether their solution is working or making matters worse.

This is what my stats for an article look like immediately after I post it. Hi 346 Fediverse servers, I love you too. 😂

Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server.

So if you set up an Android emulator and sign into a Google account to use the Play Store, Google will later not let you change the recovery email on that account. It will demand a one-time code from that emulator (that you already scrapped) despite 2FA not being enabled. 🤦‍♂️

But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.

Show thread

Watching this talk by Amy Burnett I realized that I never really considered the abuse potential of service workers. I’ve seen plenty of JavaScript files reflecting query parameters, typically JSONP endpoints. And I considered these non-exploitable.

Easiest way to spot a company not giving a damn about security: application updates try to trick you into installing unwanted “extras.”

Yes, I have applications in my Windows VM that I should probably get rid of. Foxit Reader used to be pretty good, a long time ago…

Whether and when PoC code for vulnerabilities should be published is a complicated topic, many different aspects playing a role here. Whether Microsoft should use their privileged access to GitHub in order to remove PoC code for their product is simple on the other hand: no.

I now have Slack open in one tab, Mattermost in another. This feels like a game: “find 10 differences.”

Hard to believe but in Mozilla browser (pre-Firefox) a webpage could request UniversalXPConnect privilege. If the user accepted, it got full access to their system. How was accepting this request ever a good idea, even with trusted websites?

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.