Full Disclosure: XSS in Getty Images

by @edent | , , , | 3 comments | Read ~560 times.

Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users -…

Should browsers remember 2FA codes?

by @edent | , , , | 5 comments | Read ~233 times.

In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field…

Responsible Disclosure: [REDACTED] XSS

by @edent | , , | Read ~181 times.

A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain…

Responsible Disclosure: Content Injection flaw in Gett's Website

by @edent | , , , | Read ~174 times.

A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…

The 74,000 numbers of Barclays Bank

by @edent | , , | 11 comments | Read ~9,222 times.

Long list of phone numbers in JSON format.

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock. Barclays…

Emoji Passwords and BitWarden

by @edent | , , , , , | 4 comments | Read ~222 times.

Let me start by saying that Emoji Passwords are probably a really daft idea. I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters. Let's go with ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple)…

That's not my name! Practical problems in real name policies.

by @edent | , | 8 comments | Read ~1,322 times.

A human holds up some paper with a mysterious script printed on it.

Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names". I don't want to go into whether this is a good idea or…

That's not how 2FA works

by @edent | , , , | 21 comments | Read ~30,891 times.

List of tweeters advocating for 2FA.

Another day, another high-profile website cloned to phish credentials. Is this a phishing attempt? Goes to "https://t.co/7b0EaPdGZR" and asks for username and pw (if so, it nearly got me!) /cc @github pic.twitter.com/jgt4oNvjF2 — Tess Rinearson (@_tessr) January 16, 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on…

Falsehoods programmers believe about... Biometrics

by @edent | , , , | 13 comments | Read ~6,446 times.

A fingerprint being scanned.

(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....) Everyone has fingerprints! The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have…

I know how many microphones and cameras you have

by @edent | , , , , | 8 comments | Read ~322 times.

Web browser asking for permission to access microphones. On the page, the number of microphones is displayed.

A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting? Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and…