I recently posted about parser mismatch vulnerabilities, which I think are deeply underappreciated. But I didn't explain what to *do* about them!
So, my latest post discusses all of the techniques I know of for mitigating or even entirely preventing them:
I'd love to hear what people think!
I absolutely love it when somebody takes my blog post and makes it much easier to understand while staying correct on the technical details. Thanks a lot @firstname.lastname@example.org!
Wow, #Screencastify is in full damage control mode. Very disappointing.
They released an update today, two days after my blog post, finally restricting the attack surface to five subdomains. And they released a blog post on the topic. But don’t tell people that about the fix today. Instead, they claim to have fixed the issue back in February. And talk about “a series of hypothetical steps” instead of admitting that there was/is an issue.
Interestingly, someone already wondered whether Screencastify extension would be a privacy risk. So they asked on Stack Exchange. Almost three years later I could finally give them a proper answer. Too bad they deleted their account in the meantime.
A day after the publication of this article Screencastify released an update to their extension. Could it be that they had a fix for the issues in the pipeline and released it now? Sorry, no. This update is about adjustments to pricing…
Somehow I was certain that I published this article months ago. Sadly, Screencastify didn’t really use the extra time. Their extension is still a very dangerous toy, not quite validating who it provides with webcam or Google Drive access.
Interesting how I started out using serde_json in #rustlang with all custom Serializer and Deserializer implementations. Hey, I have historically grown serialization formats that are complicated to handle generically!
And now it’s almost no custom code at all…
And: done. Migrated to a Rust crate with far more sane code. While it required more manual work, there is no more weird cross-platform breakage.
So this Rust crate is depending on this weird other crate…
Oh, it was written by someone with even less Rust understanding than me…
Oh my, it is handling command lines… Good thing this is only for tests.
Wait, the crate I’m actually using is written by the same person?
Sorry, I’m busy right now. I have to go find another Rust crate to use for my tests.
You all seem to be used to getting these. I barely ever did, must be doing something wrong. 😂
It’s about time. There really is no valid use case for document.domain these days. I was certain that no modern web app would still use it. That’s before I found it being used by Adobe websites of course. And before they refused to get rid of it.
One thing few people actually realize: subtle breakage and security issues in OpenSSL cli are perfectly fine. 😈
“At the end of the day, OpenSSL is a *library*, not an end-user product, and enc(1) and friends are developer utilities and "demo" tools.”
> I swear the openssl CLI was designed to waste eng time lmao
I’m learning Rust by writing a command-line version of PfP. At 40 kB the code is somewhat complex already, and I’ve done several refactorings as I learn to use the language properly. But once it compiles the code just… works? Refreshing compared to C++.
Wladimir Palant, software developer and security researcher, browser extensions expert. He/him
A Mastodon instance for info/cyber security-minded people.