"file:///C:/users"

by @edent | # # | Read ~248 times.
List of Tweets where people have pasted a link to their local machine.

Once in a while, I'll see someone Tweet a "link" to file:///C:/users/... - that's the Microsoft Windows way of representing a location on a filesystem. Usually this means that the user has tried to either drag 'n' drop something, or copied a link from their file explorer. There are some (mild) infosec risks you should…

Continue reading →

GDPR and common sense

by @edent | # # # # | 3 comments | Read ~110 times.
Some giant question marks standing in a field.

Every so often, I get a glimpse into the thought processes of someone who has a very different view of the world to me. I don't deal with people's personal information often. So I was surprised to receive an email with a multi-megabyte spreadsheet called "Pay and Bonuses 2020". The email contained this doozy of…

Continue reading →

My 2FA Code was 000 000!

by @edent | # # | 1 comment | Read ~988 times.
Facebook's 2FA code page.

I stared at my TOTP generator. Surely this must be a bug? Leap Year related? Or a cold-start error? Or some freaky prank? How could my login code be 000000?!?! A standard TOTP code is normally 6 digits long. There are a million combinations, from 000000 to 999999. A million isn't a particularly big number.…

Continue reading →

Responsible Disclosure - John Lewis

by @edent | # # # # | 1 comment | Read ~673 times.
John Lewis Website with a big circle drawn on it.

The HTML5 specification is complicated. I've been an author on it, and even I couldn't tell you all the weird little gotchas it contains. Between that and "idiosyncratic" browser engines, it's a wonder the world wide web works at all. Let's talk about the humble <meta> element. As its name suggests, it contains metadata about…

Continue reading →

Your webcam cover is messing up your screen brightness

by @edent | # # # | 4 comments | Read ~235 times.
A laptop with the webcam covered - a green LED is visible.

Here's something I didn't know - but should have, because it's obvious... Your screen's auto-brightness depends on your webcam. If, like me, you have a privacy cover - this happens: The MacBook I'm using doesn't have any lux sensors that I can see - most phones have a separate sensor which means the camera isn't…

Continue reading →

Even Google forgets to renew its domains

by @edent | # # # # # | 12 comments | Read ~32,484 times.
Domain showing as available to purchase.

tl;dr Google forgot to renew a domain used in their documentation. It was mildly embarrassing for them. And possibly a minor security concern for some new G-Suite domain administrators Background Choosing a good example domain, to use in documentation, is hard. You want something which is obviously an example, so that users understand they have…

Continue reading →

Thames Water don't get password security

by @edent | # # | 1 comment | Read ~2,861 times.

Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account. I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my…

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk

by @edent | # # # # # # | 4 comments | Read ~442 times.
The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can…

Continue reading →

Is LogMeIn leaking email addresses?

by @edent | # # | 2 comments | Read ~296 times.
Fraud alert warning signs.

Like all security minded people, I use a unique email address for every service I sign up to. This week, I noticed I had started receiving spam to an email address associated with my Join.me account. Join.me is a screen sharing service now owned by LogMeIn. I signed up for a trial of Join.me back…

Continue reading →

Who can I hire to hack me?

by @edent | # # # | Read ~5,509 times.
GitHub screenshot "Insert your security key Press the button on your security key device to finish signing in. If it does not have a button, just re-insert it."

I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my…

Continue reading →