I have 4% 2FA coverage

by @edent | # # # | 2 comments | Read ~180 times.
A long list of 2FA tokens.

Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers’ email tokens, failed crypto wallet…

Continue reading →

More Phishers On Twitter

by @edent | # # # # # | 4 comments | Read ~750 times.
A Twitter exchange. Virgin ask Dom for his address - which he gives. Then they ask for his full credit card details. He refuses.

My mate Dom was moaning to his ISP on Twitter. They sent him a private message so they could look into his account. Blimey! Thankfully, that was a pretty brazen and inept attempt at phishing. Anyone asking for all your card details like that should set the alarm bells ringing. Of course, phishers often target…

Continue reading →

“file:///C:/users”

by @edent | # # | Read ~286 times.
List of Tweets where people have pasted a link to their local machine.

Once in a while, I’ll see someone Tweet a “link” to file:///C:/users/… – that’s the Microsoft Windows way of representing a location on a filesystem. Usually this means that the user has tried to either drag ‘n’ drop something, or copied a link from their file explorer. There are some (mild) infosec risks you should…

Continue reading →

GDPR and common sense

by @edent | # # # # | 3 comments | Read ~124 times.
Some giant question marks standing in a field.

Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don’t deal with people’s personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called “Pay and Bonuses 2020”. The email contained this doozy of…

Continue reading →

My 2FA Code was 000 000!

by @edent | # # | 1 comment | Read ~1,022 times.
Facebook's 2FA code page.

I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn’t a particularly big number.…

Continue reading →

Responsible Disclosure – John Lewis

by @edent | # # # # | 1 comment | Read ~693 times.
John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I’ve been an author on it, and even I couldn’t tell you all the weird little gotchas it contains. Between that and “idiosyncratic” browser engines, it’s a wonder the world wide web works at all. Let’s talk about the humble <meta> element. As its name suggests, it contains metadata about…

Continue reading →

Your webcam cover is messing up your screen brightness

by @edent | # # # | 4 comments | Read ~361 times.
A laptop with the webcam covered - a green LED is visible.

Here’s something I didn’t know – but should have, because it’s obvious… Your screen’s auto-brightness depends on your webcam. If, like me, you have a privacy cover – this happens: The MacBook I’m using doesn’t have any lux sensors that I can see – most phones have a separate sensor which means the camera isn’t…

Continue reading →

Even Google forgets to renew its domains

by @edent | # # # # # | 12 comments | Read ~32,570 times.
Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have…

Continue reading →

Thames Water don’t get password security

by @edent | # # | 1 comment | Read ~2,872 times.

Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account. I’m bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my…

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk

by @edent | # # # # # # | 4 comments | Read ~475 times.
The website has a circle drawn on it.

Here’s a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk – one of the UK’s mobile providers. A brief recap… Most websites have a search function. If you search for something which cannot be found, the site will often say “No results found for XYZ.” If we can…

Continue reading →