It's 2019 and high-tech devices are still plagued by text encoding bugs. I recently bought the new 4K Amazon Fire Stick. It's a little Android dongle which plays videos. It's neat - but quite often displays weird text errors. Take the kids' TV show House of Anubis, the Fire displays the description like this: Looking at the source code for the description: That's the character "private use…
Continue reading →
More adventures with Unicode. I logged in to my Virgin Media account to see when my promotional discount would end. Here's what their billing PDF said. Let'S Ignore The Weird Capitalisation Virgin'S System Uses. What's that  doing there? Their website says: No  symbol, but also no £ sign. Ah, but let's look at the underlying code. What's that weird character? It is the control ch…
Continue reading →
(This isn't really a security issue, although I've disclosed it to the Twitter team.) "Fuzzing" is a computer science term which means "sending weird data into a program and seeing what happens." It's a useful way to see how your code can break in new and unexpected ways. It's particularly good at showing what a website's search engine does when it is confused. For example, here's a fairly…
Continue reading →
The new Firefox is out! Powered by the ludicrous-speed quantum engine - it really is a marvel to behold. Unfortunately, there's a rather annoying bug in the way it renders placeholder text. Consider the following HTML: <textarea placeholder="In loving memory of Buffy Anne Summers She saved the world A lot..."></textarea> This should render a textarea (a multi-line input box) pre-filled with…
Continue reading →
It is impossible to contact large companies to report a bug in their software. So I'm reduced to writing snarky blog posts about it in the vague hope that a Social Media Manager will see the issue and raise it with the appropriate team. Welcome to 2017! Google Pay now supports American Express cards in the UK. Hurrah! But if you try to ring Amex from within the app - a problem occurs. Can you…
Continue reading →
AMP is Google's attempt to re-fight the transcoding wars of the early 2000s. It is actively dangerous to the web ecosystem, helps disseminate propaganda, and is disliked by many users. If, like me, you made the mistake of trying out AMP on your website - you're in a tricky position if you try to remove it. Google doesn't like anything leaving its clutches. After a few weeks of AMP, I decided …
Continue reading →
If you have a TingTag, your location is being broadcast without encryption! Earlier this year I purchased and reviewed the TinTag. I've spent the last month trying to get hold of the company to report a serious privacy problem with their Android app. I've not received an adequate response, so I'm publishing this post to let affected users know about the issue. The TinTag is a BLE tracker. …
Continue reading →
I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is pretty secure - good use of OAuth and tokens to make sure whatever you're building is resistant to infiltration. I…
Continue reading →
Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar…
Continue reading →
Hey kids! Did you know that the best way to report bugs to Google is via passive-aggressive blog posts? Yup, s'true. They don't offer support for any of their products*, so your only hope is getting your complaint to the top of Reddit / HackerNews / Cool Site of the Day and hoping that particular Google Product Manager is taking note. So - here's my rant :-) Google now let you pay for apps…
Continue reading →
As with most tasks in life, there are two paths you can go by - the easy way, or the right way. Sadly, many of us choose the easy way which, in the long run, means more work for us all. Take, for example, the seemingly dull task of email unsubscription. A developer wants to make it easy for a user to unsubscribe from an email newsletter. They want to place an unsubscribe link at the bottom of …
Continue reading →
Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked. Video: This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed. Notes HOWTO Lock the device with a "secure"…
Continue reading →
