Wladimir Palant, software developer and security researcher, browser extensions expert. He/him #infosec #cryptography #cybersecurity #privacy

Cologne, Germany
Joined July 2018
Do I remember it incorrectly that the sandbox attribute on iframes used to make the frame think it were the top-level document? Or did this change at some point?
1
1
I guess I mixed things up here. Looking through Mozilla’s code history, <iframe mozbrowser> used to have this effect but it was never available to regular web pages.
1
Friendly reminder: #jQuery isn’t a good security choice. Looking at a jQuery-based browser extension right now. The developer clearly made much effort to do it right. Almost no messing with HTML code, all values inserted escaped. ▶️ palant.info/2020/03/02/psa-j…
1
3
They *almost* got it secured. But there was this one jQuery quirk they failed to consider, probably didn’t even know existed. Sorry, that’s Remote Code Execution for you. 🤷‍♂️ The way this library tries to anticipate what you *might* have meant is a disaster.
1
Neat, they are using document.domain. So the attack surface just increased to encompass all of their web properties. *evil laugh*
1
I have the proof-of-concept exploits (including the one bypassing same-origin-policy) done, but filing reports on all the vulnerabilities I found in the process will take time. There have been plenty…
1
1
But at least they have security.txt and a contact other than their bug bounty program. This will save me some time.
1
Ok, six vulnerability reports sent. Deadline is April 19, and I can move on now.
1
1
Oh, that’s why people list both their bug bounty program and email address in security.txt: so that, when contacted via email, they can respond with a request to resubmit via bug bounty program. 🤦‍♂️
1
1
They decided to accept the reports via email after all, despite it not being their usual process. I guess I won’t add that snarky comment to the article to be written. That’s a good thing, I feel like I’m complaining too much already.
Show this thread
Another big corp is “reviewing” a trivial privacy issue since December. So far they didn’t even manage to access the proof of concept page. I start suspecting that they are searching for someone who knows the product. Meanwhile the publication deadline is getting closer…
It’s funny to see open source and tech geeks discussing @moxie’s “People don’t want to run their own servers” and claiming that he “doesn’t get it.” It shows nicely everything that’s wrong with this bubble. No, he actually gets it, and you still don’t.
1
And I’m saying this as someone who runs their own web and email server. Because my skills are barely enough that this time investment sort of pays off. But for 99% of all people it doesn’t and never will. They don’t care about ideology. Heck, most don’t even care about privacy.
1
2
I love open source but much of it is blindsided by only catering for people like yourself. There is nothing wrong with it but it’s also a reason why open source remains a niche. And companies are successful taking open source projects and tweaking them for the general population.
1
Remember that attack on #LastPass accounts which LastPass claimed to be a glitch in their notification system? A commenter on my blog claims to have been hacked there. Attackers logged into LastPass and got everything to transfer out cryptocurrency funds. palant.info/2021/12/29/how-d…
There is lots of confusion about how someone got their hands on lots of #LastPass master passwords, and the official LastPass statement is certainly not helping. I analyzed the possible scenarios to find out what most likely happened here. #infosec palant.info/2021/12/29/how-d…
3
1
1
Could still be a coincidence, or credential stuffing, or something else. But the point is: just because LastPass claims that they haven’t been compromised, you don’t have to believe them. And: no, their location-based checks won’t stop all attacks, don’t rely on that.
1
2
Wow, Mozilla fixed bugzil.la/371900 – a trivial bug filed 15 years ago and a major annoyance/footgun for extension developers. Personally, I’ve hit that issue 13 years ago. Finally fixed, only four years after everyone stopped caring about it…
1
Yeah, the fix didn’t stick. Seems to have caused a regression, backed out. Well, maybe sometime later. *evil laugh*
419 scam mail received from a legit gov[.]br mail server? Interesting… But at least Reply-To is still a Gmail address, so I guess the attackers don’t really control this server. Probably abusing an open relay.
Found it, both the original (Russian game from 1989, runnable in an MSX emulator) and a Windows remake with worse (!) visuals. Screenshot shows the original. kpolyakov.spb.ru/prog/logic.…
1
Show this thread