Show newer

While at it, could we consider moving beyond Free Software? I’m increasingly convinced that it is a dead end we wasted decades on. GNU/Linux is used everywhere, yet it gives users exactly zero leverage. Having access to those mountains of code is no gain, it’s almost useless.

After loosing RSS feeds again in Thunderbird I got fed up and reported the bug. Looks like it has good chances to get fixed! bugzilla.mozilla.org/show_bug.

Free Software Foundation Europe is severing its ties to FSF. Yes, at this stage it’s the only right decision.

fsfe.org/news/2021/news-202103

Stumbled upon a (legitimate) website that managed to drive up Firefox memory usage by 2 GB and almost hang the entire UI before I closed the tab. And Firefox spent around five minutes working on freeing all that memory. I feel an urge to dissect it and figure out what they did…

For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account.

palant.info/2021/03/22/follow-

I’m writing a follow-up on Amazon Assistant, will hopefully be finished today. There is more to this story…

I keep looking for something making this considerably more advanced than the proxy modules I implemented for PfP (5 kB of code). Yes, somewhat pointless privilege checking – a trivial addition. Yes, publish/subscribe model for events – not a big deal either. Nothing there…

Show thread

There are factories creating exactly one type of object. Superclasses with exactly one subclass. And lots of message serializers – one module for each type of message. Didn’t anybody think of generalizing message creation? But lots of pointless generalization here.

Show thread

I’m still looking into Amazon Assistant code a bit, and the overengineering level of this whole thing is astonishing. The UBPClient library is 760 kB of code which are duplicated all over the place. Merely for communication between different frames.

palant.info/2021/03/08/how-ama

One of the extensions managed to bring out five (5!) minor updates in the time, yet leave the vulnerable code completely unchanged. They have three weeks to go before disclosure, I should start writing the article…

Show thread

I still have two pending disclosures for critical browser extension vulnerabilities. One was reported more than two months ago, the other slightly less. Just checked, neither has been resolved yet. I guess they want to cut it close to the deadline. Sending reminders… 🙄

I love Wikipedia, there has never been more information available to anyone. But it is always good to remember what it does not show.

twitter.com/histoftech/status/

All of this sounds too familiar, and my name isn’t even too unusual for the German ear (no more unusual than some names German kids get). I was lucky and people started recognizing my name thanks to Klitschko. But I also know a girl who preferred going by a “simpler” name.

twitter.com/mjmichellekim/stat

And sometimes it’s not the end of the story. There is another massive “visitor” spike at 2 AM. Turns out, that’s another 800 Fediverse servers because @nolan posted a link to this article. And he has a larger followership than me, meaning more Fediverse servers who need to fetch metadata. 😀

Show thread

How do developers of anti-fingerprinting solutions cope with impostor syndrome? It’s close to impossible to tell whether their solution is working or making matters worse.

This is what my stats for an article look like immediately after I post it. Hi 346 Fediverse servers, I love you too. 😂

Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server.

palant.info/2021/03/15/duckduc

So if you set up an Android emulator and sign into a Google account to use the Play Store, Google will later not let you change the recovery email on that account. It will demand a one-time code from that emulator (that you already scrapped) despite 2FA not being enabled. 🤦‍♂️

But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.

Show thread
Show older
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.