Responsible Disclosure: Content Injection flaw in Gett's Website

by @edent | # # # # | Read ~158 times.
A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…

Continue reading →

The 74,000 numbers of Barclays Bank

by @edent | # # # | 7 comments | Read ~316 times.
Long list of phone numbers in JSON format.

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock. Barclays…

Continue reading →

Emoji Passwords and BitWarden

by @edent | # # # # # # | 4 comments | Read ~211 times.

Let me start by saying that Emoji Passwords are probably a really daft idea. I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters. Let's go with ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple)…

Continue reading →

That's not my name! Practical problems in real name policies.

by @edent | # # | 8 comments | Read ~1,313 times.
A human holds up some paper with a mysterious script printed on it.

Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names". I don't want to go into whether this is a good idea or…

Continue reading →

That's not how 2FA works

by @edent | # # # # | 21 comments | Read ~30,814 times.
List of tweeters advocating for 2FA.

Another day, another high-profile website cloned to phish credentials. Is this a phishing attempt? Goes to "https://t.co/7b0EaPdGZR" and asks for username and pw (if so, it nearly got me!) /cc @github pic.twitter.com/jgt4oNvjF2 — Tess Rinearson (@_tessr) January 16, 2021 In the replies, you’ll see lots of techbros saying “this is why you should switch on…

Continue reading →

Falsehoods programmers believe about... Biometrics

by @edent | # # # # | 11 comments | Read ~6,324 times.
A fingerprint being scanned.

(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....) Everyone has fingerprints! The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have…

Continue reading →

I know how many microphones and cameras you have

by @edent | # # # # # | 8 comments | Read ~315 times.
Web browser asking for permission to access microphones. On the page, the number of microphones is displayed.

A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting? Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and…

Continue reading →

Book Review: Privacy is Power - Carissa Véliz

by @edent | # # # # | 1 comment | Read ~274 times.
Book Cover.

Without your permission, or even your awareness, tech companies are harvesting your location, your likes, your habits, your relationships, your fears, your medical issues, and sharing it amongst themselves, as well as with governments and a multitude of data vultures. They're not just selling your data. They're selling the power to influence you and decide…

Continue reading →

Review: eufyCam 2C Wireless Home Security Camera System

by @edent | # # # # | 3 comments | Read ~224 times.
Flyer explaining how Eufy is different.

I hate the Internet of Things. It's a load of overpriced junk, which abuses your privacy and demands a monthly fee in return. That's why I was pleasantly surprised to see this fall out of the eufyCam 2C box. There's no monthly fee. The recordings stay in your home. The batteries last for ages. I…

Continue reading →

I have 4% 2FA coverage

by @edent | # # # | 2 comments | Read ~225 times.
A long list of 2FA tokens.

Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet…

Continue reading →