After loosing RSS feeds again in Thunderbird I got fed up and reported the bug. Looks like it has good chances to get fixed! https://bugzilla.mozilla.org/show_bug.cgi?id=1701414
Free Software Foundation Europe is severing its ties to FSF. Yes, at this stage it’s the only right decision.
For anybody concerned that my previous article on Amazon Assistant only discussed potential threats: here is the actual data being collected for “analytics” purposes. Lots of it and linked to the user’s Amazon account. #amazon #privacy
How did they end up with this? Just how? 😭
I keep looking for something making this considerably more advanced than the proxy modules I implemented for PfP (5 kB of code). Yes, somewhat pointless privilege checking – a trivial addition. Yes, publish/subscribe model for events – not a big deal either. Nothing there…
There are factories creating exactly one type of object. Superclasses with exactly one subclass. And lots of message serializers – one module for each type of message. Didn’t anybody think of generalizing message creation? But lots of pointless generalization here.
I’m still looking into Amazon Assistant code a bit, and the overengineering level of this whole thing is astonishing. The UBPClient library is 760 kB of code which are duplicated all over the place. Merely for communication between different frames.
One of the extensions managed to bring out five (5!) minor updates in the time, yet leave the vulnerable code completely unchanged. They have three weeks to go before disclosure, I should start writing the article…
I love Wikipedia, there has never been more information available to anyone. But it is always good to remember what it does not show.
All of this sounds too familiar, and my name isn’t even too unusual for the German ear (no more unusual than some names German kids get). I was lucky and people started recognizing my name thanks to Klitschko. But I also know a girl who preferred going by a “simpler” name.
And sometimes it’s not the end of the story. There is another massive “visitor” spike at 2 AM. Turns out, that’s another 800 Fediverse servers because @nolan posted a link to this article. And he has a larger followership than me, meaning more Fediverse servers who need to fetch metadata. 😀
Disclosure time: two fairly typical vulnerabilities in DuckDuckGo Privacy Essentials. One is still unresolved on Firefox and Edge but can only be exploited from their server. #DuckDuckGo #privacy #infosec
But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
Other Mastodon account for non-technical topics: https://social.tchncs.de/@WPalant
A Mastodon instance for info/cyber security-minded people.