Should you use Let's Encrypt for internal hostnames?

by @edent | , , | 25 comments | 450 words | Read ~28,353 times.

A padlock engraved into a circuit board.

Julien Savoie has written a brilliant post explaining how you can enable https on your intranet. This is useful for several reasons. It means your employees aren't constantly fighting browser warnings when trying to submit stuff internally. All your http traffic is encrypted. You don't need to install a self-generated root certificate on devices. Lovely!…

Responsible Disclosure: Chrome security bug let tabs draw over each other ($1k bounty)

by @edent | , , , , | 1 comment | 550 words | Read ~1,166 times.

The Google Logo.

Chrome for Android had a flaw which let one tab draw over another - even if the tabs were on completely different domains. A determined attacker might have been able to abuse this to convince a user to download and installed a spoofed app. See Chrome Bug #1242315 for details. Demo Here's a video of…

ProctorU is dystopian spyware

by @edent | , , , | 22 comments | 350 words | Read ~10,098 times.

To take this exam online you will need to borrow a friend or family member's laptop.

As part of my MSc, I have to take an online exam. Obviously, this means I am highly likely to cheat by looking up things on Wikipedia or by having a bit of paper with notes on it. EVIL! So, the exam body requires me to install ProctorU. It's a service which lets someone watch…

Full Disclosure: XSS in Getty Images

by @edent | , , , | 3 comments | 300 words | Read ~572 times.

Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users -…

Should browsers remember 2FA codes?

by @edent | , , , | 5 comments | 400 words | Read ~244 times.

In HTML, the autocomplete attribute is pretty handy. The HTML autocomplete attribute is available on <input> elements that take a text or numeric value as input, <textarea> elements, <select> elements, and <form> elements. autocomplete lets web developers specify what if any permission the user agent has to provide automated assistance in filling out form field…

Responsible Disclosure: [REDACTED] XSS

by @edent | , , | 300 words | Read ~186 times.

A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain…

Responsible Disclosure: Content Injection flaw in Gett's Website

by @edent | , , , | 450 words | Read ~183 times.

A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…

The 74,000 numbers of Barclays Bank

by @edent | , , | 12 comments | 300 words | Read ~9,825 times.

Long list of phone numbers in JSON format.

The UK faces an epidemic of telephone scams. Fraudsters are constantly calling people up pretending to be their bank. But how can you be sure the number displayed on your screen in genuine? You can't. The telecom system is hopelessly insecure and shouldn't be trusted for anything more complicated than dialling the speaking clock. Barclays…

Emoji Passwords and BitWarden

by @edent | , , , , , | 4 comments | 150 words | Read ~227 times.

Let me start by saying that Emoji Passwords are probably a really daft idea. I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters. Let's go with ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple)…

That's not my name! Practical problems in real name policies.

by @edent | , | 8 comments | 700 words | Read ~1,327 times.

A human holds up some paper with a mysterious script printed on it.

Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names". I don't want to go into whether this is a good idea or…