I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users -…
Continue reading →
In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field…
Continue reading →
Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain…
Continue reading →
Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…
Continue reading →
The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock. Barclays…
Continue reading →
Let me start by saying that Emoji Passwords are probably a really daft idea. I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters. Let's go with ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple)…
Continue reading →
Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names". I don't want to go into whether this is a good idea or…
Continue reading →
Another day, another high-profile website cloned to phish credentials. Is this a phishing attempt? Goes to "https://t.co/7b0EaPdGZR" and asks for username and pw (if so, it nearly got me!) /cc @github pic.twitter.com/jgt4oNvjF2 — Tess Rinearson (@_tessr) January 16, 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on…
Continue reading →
(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....) Everyone has fingerprints! The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have…
Continue reading →
A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting? Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and…
Continue reading →