Terence Eden. He has a beard and is smiling.

Terence Eden’s Blog

Theme Switcher:

Responsible Disclosure - John Lewis

· 550 words · Viewed ~877 times

John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about the document. A typical element might look like this: <meta…

Even Google forgets to renew its domains

· 13 comments · 500 words · Viewed ~33,171 times

Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have to substitute it for their own details. But…

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

· 1 comment · 450 words · Viewed ~673 times

Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed up to Intigriti, and instantly received a confirmation email. Can you…

Major sites running unauthenticated JavaScript on their payment pages

· 12 comments · 700 words · Viewed ~34,595 times

HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their credit card details as they were…