Hidden Data in NFC Tags

by @edent | # # # # | 1 comment | Read ~245 times.
Various NFC icons.

I've just got a set of wearable NFC tags, and I've discovered something interesting about the way data is stored on them. tl;dr Overwriting a tag can leave old data intact, and still readable. Here's the decoded memory layout of a tag with data written to it. In this case, a (failed) experiment at storing… Continue reading →

Harvesting phone numbers and email addresses from GitHub

by @edent | # # # | 2 comments | Read ~122 times.
A user's email signature - the phone number has been blurred out.

Code-sharing site GitHub automatically sends email notifications to users. If you've commented on an issue, you'll get an email each time there's an update. That's pretty handy. It also allows users to reply by email. The reply is then automatically posted in the issue thread. Also handy. But a little dangerous. Lots of people have… Continue reading →

€100 Bug Bounty from Intigriti - please stop tracking your confirmation emails!

by @edent | # # # # # | 1 comment | Read ~135 times.
Weird confrimation address.

There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system. The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti. I signed… Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes

by @edent | # # # # # | 4 comments | Read ~13,530 times.
A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and… Continue reading →

Major sites running unauthenticated JavaScript on their payment pages

by @edent | # # # # # # | 9 comments | Read ~25,942 times.
HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their… Continue reading →

Should you use SRI for self-hosted scripts?

by @edent | # # # | 2 comments | Read ~224 times.

Here's a curiosity which I found while stumbling through the Sony PlayStation store. The website loads internally hosted scripts using SRI (SubResource Integrity). Why? Does your work require you to swipe an ID card to access the building? That seems pretty normal. Does your work also remind you to keep your badge visible, and to… Continue reading →

Dynamic JavaScript and SRI

by @edent | # # # | Read ~187 times.
HTML source of The Guardian website. Polyfill is being loaded from their own CDN.

Some external JavaScript libraries are dynamic. That's a problem for the SRI model of security. How can this be fixed? Definitions Suppose I want my website to have the latest version of the jQuery library. I might use a Content Delivery Network (CDN) to serve the code for me. <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> If an attacker were… Continue reading →

Responsible Disclosure: CloudFlare - more interested in tracking than security

by @edent | # # # # | 2 comments | Read ~352 times.
A confirmation email asking me to click on a link,

CloudFlare claim they want to secure the web - but they seem more interested in tracking their customers than giving them decent security. Upon registering with the Internet giant, users are encouraged to confirm their email addresses. So far, so standard. This is the confirmation message CloudFlare sends out: Looks good! Hey! I wonder where… Continue reading →

Security issues on ArtChain

by @edent | # # # # | 4 comments | Read ~4,396 times.
A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the… Continue reading →

Responsible Disclosure - Citizens Advice Bureaux

by @edent | # # # # # | Read ~213 times.

A quick report into a nasty privacy vulnerability I found with the CAB. Unusually for me, this has no Internet component. Regular readers will know about my recent court visit. As part of that, I had to telephone the CAB Volunteers at the court who look after witnesses. I called, and was put on hold,… Continue reading →