Articles
2023
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- More malicious extensions in Chrome Web Store
- Malicious code in PDF Toolbox extension
- Online Security extension: Destroying privacy for no good reason
- A way forward for PfP: Pain-free Passwords
- Processing a complex syntax with Rust’s declarative macros
- Documenting KeePass KDBX4 file format
- The end of PfP: Pain-free Passwords
- Converting incoming emails on the fly with OpenSMTPD filters
- Veraport: Inside Korea’s dysfunctional application management
- LastPass breach update: The few additional bits of information
- South Korea’s banking security: Intermediate conclusions
- Automating Windows installation in a VM
- Weakening TLS protection, South Korean style
- Password strength explained
- IPinside: Korea’s mandatory spyware
- Bitwarden design flaw: Server side iterations
- TouchEn nxKey: The keylogging anti-keylogger solution
- South Korea’s online security dead end
2022
- LastPass breach: The significance of these password iterations
- What’s in a PR statement: LastPass breach explained
- What data does LastPass encrypt?
- LastPass has been breached: What now?
- Common pitfalls of breaking up HTTPS connections
- Scirge: When your employer mandates spyware
- When extension pages are web-accessible
- Attack surface of extension pages
- Impact of extension privileges
- Anatomy of a basic extension
- Hijacking webcams with Screencastify
- Adobe Acrobat hollowing out same-origin policy
- Party time: Injecting code into Teleparty extension
- Skype extension: All functionality broken? Still exploitable!
- Writing my own build system: Coupling gulp concepts with modern JavaScript
2021
- How did LastPass master passwords get compromised?
- Yes, fun browser extensions can have vulnerabilities too!
- Abusing Keepa Price Tracker to track users on Amazon pages
- Breaking Custom Cursor to p0wn the web
- Data exfiltration in Keepa Price Tracker
- Having fun with CSS injection in a browser extension
- Universal XSS in Ninja Cookie extension
- Print Friendly & PDF: Full compromise
- Follow-up on Amazon Assistant’s data collection
- DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS
- How Amazon Assistant lets Amazon track your every move on the web
- Setup for testing Android app vulnerabilities
- Reverse engineering a Unity-based Android game
2020
- How anti-fingerprinting extensions tend to make fingerprinting easier
- Adding DKIM support to OpenSMTPD with custom filters
- What would you risk for free Honey?
- Added Webmention support to the blog
- A grim outlook on the future of browser add-ons
- Dismantling BullGuard Antivirus’ online protection
- Exploiting Bitdefender Antivirus: RCE from any website
- Does Signal’s “secure value recovery” really work?
- The easier way to use lunr search with Hugo
- What data does Xiaomi collect about you?
- Are Xiaomi browsers spyware? Yes, they are…
- Yahoo! and AOL: Where two-factor authentication makes your account less secure
- PSA: jQuery is bad for the security of your project
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Avast’s broken data anonymization approach
- Pwning Avast Secure Browser for fun and profit
- Avast complies to respect users’ privacy
2019
- Problematic monetization in security products, Avira edition
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Rendering McAfee web protection ineffective
- More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links
- Assorted Kaspersky vulnerabilities
- Internal Kaspersky API exposed to websites
- Kaspersky: The art of keeping your keys under the door mat
- Avast Online Security and Avast Secure Browser are spying on you
- PfP: Pain-free Passwords security review
- State of the art protection in Chrome Web Store
- Kaspersky in the Middle – what could possibly go wrong?
- Recognizing basic security flaws in local password managers
- Various RememBear security issues
- Bogus security mechanisms: Encrypting localhost traffic
- Switching my blog to a static site generator
- Dear Mozilla, please stop spamming!
- Should you be concerned about LastPass uploading your passwords to its server?
- How much privacy do you have left on the web?
2018
- BBN challenge resolution: Getting the flag from a browser extension
- If your bug bounty program is private, why do you have it?
- BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension
- Maximizing password manager attack surface: Learning from Kaspersky
- BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
- As far as I’m concerned, email signing/encryption is dead
- Should your next web-based login form avoid sending passwords in clear text?
- So Google is now claiming: “no one (including Google) can access your data”
- Keybase: “Our browser extension subverts our encryption, but why should we care?”
- Password managers: Please make sure AutoFill is secure!
- Präsentation über Digitalisierung und soziale Interaktion
- FTAPI SecuTransfer – the secure alternative to emails? Not quite…
- Is your LastPass data really safe in the encrypted online vault?
- Google to developers: We take down your extension, because we can
- Ryzom falling: Remote code execution via the in-game browser
- The ticking time bomb: Fake ad blockers in Chrome Web Store
- The Firefox Accounts authentication zoo
- Can Chrome Sync or Firefox Sync be trusted with sensitive data?
- Master password in Firefox or Thunderbird? Do not bother!
- Implementing safe sync functionality in a server-less extension
- Links for my SINFO 25 presentation
- Easy Passwords is now PfP: Pain-free Passwords
- News flash: encrypted.google.com is not special in any way
- Getting published Docker container ports to work with IPv6
2017
- Taking a break from Adblock Plus development
- On Web Extensions shortcomings and their impact on add-on security
- Observations on managed bug bounty programs
- Revisiting permission prompt for Firefox extensions
- Easy Passwords released as a Web Extension
- How bad is a buffer overflow in an Emscripten-compiled application?
- Is undetectable ad blocking possible?
- LastPass: Security done wrong
2016
- Implementing efficient PBKDF2 for the browser
- Validating news stories: Syrian oil
- More Last Pass security vulnerabilities
- Easy Passwords moving forward – filling in user names
- Safari extension format (.safariextz) explained
- Why Mozilla shouldn’t copy Chrome’s permission prompt for extensions
- Underestimated issue: Hashing passwords without salts
- Adventures porting Easy Passwords to Chrome and back to Firefox
- Security considerations for password generators
- Introducing Easy Passwords: the new best way to juggle all those passwords
- Why you should go with “secure by default” for your web application
- Compiling C++ to JavaScript: Emscripten vs. Cheerp
2015
- Mozilla: What constitutes “open source”?
- Using WebExtensions APIs in a “classic” extension
- Why you probably want to disable jQuery.parseHTML even though you don’t call it
- Missing a rationale for WebExtensions
- JavaScript Deobfuscator reloaded
- Don’t forget to check the facts – because nobody else will
- Mozilla’s rollout of Yahoo! as default search engine (a.k.a. What’s up with Firefox 34.0.5?)
2014
- Can Mozilla be trusted with privacy?
- A systematic approach to MDN documentation?
- Dumbing down HTML content for AMO
- “Unloading” frame scripts in restartless extensions
- Using a Firefox extension to work around Selenium WebDriver’s limitations
- Which is better, Adblock or Adblock Plus?
- Please don’t use externally hosted JavaScript libraries
- Third-party JavaScript – more critical than ever
- Proxies breaking up SSL connections? Yes, all the time…
- Enforcing HTTPS connections on websites
- Extension security and add-on stores
- Crazy hacks: Changing Wine key mappings on Mac OS X
- Solution to a problem nobody has: Changing Total Commander application icon
- New blog
2012
- Modularization in a restartless extension
- Why you should make your next add-on restartless
- Closed my LinkedIn account
- Preventing background tabs from wasting your computer’s resources
- Random thoughts on democracy and Russian presidential election
- Faster extension development cycle: install changes automatically
2011
- Random thought on communities
- Google Chrome and pre-installed web apps
- EU MozCamp, theme development, add-on localization with adofex
- Binary XPCOM components are dead – js-ctypes is the way to go
- Running Linux in the browser
2010
- Finding security issues in a website (or: How to get paid by Google)
- XULRunner in large projects, part 4: Localization pitfalls
- XULRunner in large projects, part 3: Bugs, bugs, and more bugs
- XULRunner in large projects, part 2: Why XULRunner isn’t like Java
- XULRunner in large projects, part 1: What is that “XULRunner” thingy, anyway?
- Ah, that wonderful Flash installation experience…
- One way to get outdated plugins on your computer
- The new browser security landscape
2009
- AMO getting serious about add-on security
- Atomic orbital viewer with WebGL
- New job again
- Downloading Xenocode’s “sandboxed” applications
- Selecting countries on a map in Firefox 3.5
- Hidden cost of (not) using Venkman
- Getting rid of Flash cookies
- Avoiding naming conflicts in overlays
- More extension puzzles
- Analyzing huge piles of code
- Five wrong reasons to use eval() in an extension
- Vulnerable extensions survey
- Displaying web content in an extension – without security issues
- Deobfuscating JavaScript
- On the new Ctrl+Tab behavior
2008
- Different ways to force garbage collection
- Fake “hg rebase” implementation
- Making modal dialogs work on Mac OS X
- Reconfiguring CheckPoint VPN-1 to allow FTPS connections
- Emulating Window.openDialog with JavaScript arguments in an XPCOM component
- Worst service ever
- HTTP Referer header won’t help you with CSRF
- Web pages accessing chrome:// is forbidden
- What software update isn’t
- TomTom HOME and add-ons
- Vulnerability or feature?
2007
- What is going on with Internet Explorer?
- Predictable whitelists strike again
- Status update
- Get WebRunner 0.5 while it is hot!
- Getting application name and icon right with XULRunner
- Mozilla Developer Day: XUL vs. HTML
- New job
- Moving again
- The hazards of MIME sniffing
- Yet another round of extension recommendations
- Legal implications of security research
- Java and Firefox memory usage
- Usability vs. Security
- Encouraging innovation
- Blacklists, whitelists, and security
- Why “Save Page As HTML, complete” sucks
- Getting back to Oslo
- Running a web server is dangerous
- Speaking of IE security…
- AMO moving into the right direction
- Firefox security: the real picture