Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)

by @edent | , , , , | 1 comment | 550 words | Read ~1,170 times.

The Google Logo.

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app. See Chrome Bug #1242315 for details. Demo Here's a video of…

Full Disclosure: XSS in Getty Images

by @edent | , , , | 3 comments | 300 words | Read ~573 times.

Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users -…

Responsible Disclosure: [REDACTED] XSS

by @edent | , , | 300 words | Read ~186 times.

A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain…

Responsible Disclosure - John Lewis

by @edent | , , , | 1 comment | 550 words | Read ~750 times.

John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about…

Even Google forgets to renew its domains

by @edent | , , , , | 13 comments | 450 words | Read ~32,885 times.

Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have…

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

by @edent | , , , , | 1 comment | 400 words | Read ~530 times.

Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed…

Major sites running unauthenticated JavaScript on their payment pages

by @edent | , , , , , | 11 comments | 700 words | Read ~30,814 times.

HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their…