Categories

security (108)

• When extension pages are web-accessible August 31
• Attack surface of extension pages August 24
• Impact of extension privileges August 17
• Anatomy of a basic extension August 10
• Hijacking webcams with Screencastify May 23
• Read More »

mozilla (51)

• What would you risk for free Honey? October 28
• A grim outlook on the future of browser add-ons August 31
• Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do? December 3
• Dear Mozilla, please stop spamming! April 3
• Google to developers: We take down your extension, because we can July 3
• Read More »

off-topic (29)

• Präsentation über Digitalisierung und soziale Interaktion August 16
• Validating news stories: Syrian oil October 23
• Don’t forget to check the facts – because nobody else will May 31
• Closed my LinkedIn account June 8
• Random thoughts on democracy and Russian presidential election March 12
• Read More »

privacy (23)

• Scirge: When your employer mandates spyware October 6
• Abusing Keepa Price Tracker to track users on Amazon pages October 5
• Data exfiltration in Keepa Price Tracker August 2
• Follow-up on Amazon Assistant’s data collection March 22
• DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS March 15
• Read More »

password-managers (22)

• How did LastPass master passwords get compromised? December 29
• PfP: Pain-free Passwords security review September 26
• Recognizing basic security flaws in local password managers August 12
• Various RememBear security issues July 8
• Bogus security mechanisms: Encrypting localhost traffic April 11
• Read More »

add-ons (17)

• Scirge: When your employer mandates spyware October 6
• Hijacking webcams with Screencastify May 23
• Adobe Acrobat hollowing out same-origin policy April 19
• Party time: Injecting code into Teleparty extension March 14
• Skype extension: All functionality broken? Still exploitable! March 1
• Read More »

gecko (17)

• Easy Passwords released as a Web Extension July 17
• Is undetectable ad blocking possible? April 19
• Introducing Easy Passwords: the new best way to juggle all those passwords April 19
• Using WebExtensions APIs in a “classic” extension October 15
• A systematic approach to MDN documentation? December 4
• Read More »

antivirus (16)

• Dismantling BullGuard Antivirus’ online protection July 6
• Exploiting Bitdefender Antivirus: RCE from any website June 22
• McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges February 25
• Insights from Avast/Jumpshot data: Pitfalls of data anonymization February 18
• Avast’s broken data anonymization approach January 27
• Read More »

pfp (10)

• Writing my own build system: Coupling gulp concepts with modern JavaScript February 8
• PfP: Pain-free Passwords security review September 26
• Implementing safe sync functionality in a server-less extension March 8
• Easy Passwords is now PfP: Pain-free Passwords February 7
• Easy Passwords released as a Web Extension July 17
• Read More »

xul (10)

• XULRunner in large projects, part 4: Localization pitfalls July 17
• XULRunner in large projects, part 3: Bugs, bugs, and more bugs July 5
• XULRunner in large projects, part 2: Why XULRunner isn’t like Java July 4
• XULRunner in large projects, part 1: What is that “XULRunner” thingy, anyway? July 2
• AMO getting serious about add-on security November 14
• Read More »

adblock-plus (9)

• Links for my SINFO 25 presentation March 2
• Taking a break from Adblock Plus development December 20
• How bad is a buffer overflow in an Emscripten-compiled application? April 23
• Is undetectable ad blocking possible? April 19
• Which is better, Adblock or Adblock Plus? July 29
• Read More »

private (9)

• New job again September 2
• Status update August 26
• New job June 15
• Moving again May 16
• Getting back to Oslo March 1
• Read More »

email (7)

• Adding DKIM support to OpenSMTPD with custom filters November 9
• Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9
• Dear Mozilla, please stop spamming! April 3
• How much privacy do you have left on the web? March 12
• As far as I’m concerned, email signing/encryption is dead November 12
• Read More »

avast (6)

• Insights from Avast/Jumpshot data: Pitfalls of data anonymization February 18
• Avast’s broken data anonymization approach January 27
• Pwning Avast Secure Browser for fun and profit January 13
• Avast complies to respect users’ privacy January 8
• Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do? December 3
• Read More »

kaspersky (6)

• More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links November 27
• Assorted Kaspersky vulnerabilities November 27
• Internal Kaspersky API exposed to websites November 26
• Kaspersky: The art of keeping your keys under the door mat November 25
• Kaspersky in the Middle – what could possibly go wrong? August 19
• Read More »

google (5)

• What would you risk for free Honey? October 28
• A grim outlook on the future of browser add-ons August 31
• Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do? December 3
• Google to developers: We take down your extension, because we can July 3
• The ticking time bomb: Fake ad blockers in Chrome Web Store April 18

lastpass (5)

• How did LastPass master passwords get compromised? December 29
• Should you be concerned about LastPass uploading your passwords to its server? March 18
• Is your LastPass data really safe in the encrypted online vault? July 9
• LastPass: Security done wrong March 23
• More Last Pass security vulnerabilities September 16

addons (4)

• When extension pages are web-accessible August 31
• Attack surface of extension pages August 24
• Impact of extension privileges August 17
• Anatomy of a basic extension August 10

extension-security-basics (4)

• When extension pages are web-accessible August 31
• Attack surface of extension pages August 24
• Impact of extension privileges August 17
• Anatomy of a basic extension August 10

challenge (3)

• BBN challenge resolution: Getting the flag from a browser extension December 17
• BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension December 10
• BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page” November 28

hugo (3)

• Added Webmention support to the blog September 3
• The easier way to use lunr search with Hugo June 4
• Switching my blog to a static site generator April 4

os-x (3)

• Safari extension format (.safariextz) explained August 17
• Crazy hacks: Changing Wine key mappings on Mac OS X February 14
• Solution to a problem nobody has: Changing Total Commander application icon February 13

tomtom (3)

• Making modal dialogs work on Mac OS X September 15
• TomTom HOME and add-ons March 17
• New job June 15

website (3)

• Added Webmention support to the blog September 3
• The easier way to use lunr search with Hugo June 4
• Switching my blog to a static site generator April 4

amazon (2)

• Follow-up on Amazon Assistant’s data collection March 22
• How Amazon Assistant lets Amazon track your every move on the web March 8

android (2)

• Setup for testing Android app vulnerabilities February 22
• Reverse engineering a Unity-based Android game February 18

crypto (2)

• Does Signal’s “secure value recovery” really work? June 16
• Should your next web-based login form avoid sending passwords in clear text? October 25

jquery (2)

• PSA: jQuery is bad for the security of your project March 2
• Why you probably want to disable jQuery.parseHTML even though you don’t call it August 30

jsdeobfuscator (2)

• JavaScript Deobfuscator reloaded July 17
• Deobfuscating JavaScript January 12

keepa (2)

• Abusing Keepa Price Tracker to track users on Amazon pages October 5
• Data exfiltration in Keepa Price Tracker August 2

mcafee (2)

• McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges February 25
• Rendering McAfee web protection ineffective December 2

reverse-engineering (2)

• Reverse engineering a Unity-based Android game February 18
• Are Xiaomi browsers spyware? Yes, they are… May 4

wine (2)

• Crazy hacks: Changing Wine key mappings on Mac OS X February 14
• Solution to a problem nobody has: Changing Total Commander application icon February 13

xiaomi (2)

• What data does Xiaomi collect about you? May 8
• Are Xiaomi browsers spyware? Yes, they are… May 4

aol (1)

• Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9

avira (1)

• Problematic monetization in security products, Avira edition December 11

bitdefender (1)

• Exploiting Bitdefender Antivirus: RCE from any website June 22

bugbounty (1)

• If your bug bounty program is private, why do you have it? December 10

build (1)

• Writing my own build system: Coupling gulp concepts with modern JavaScript February 8

bullguard (1)

• Dismantling BullGuard Antivirus’ online protection July 6

docker (1)

• Getting published Docker container ports to work with IPv6 January 5

duckduckgo (1)

• DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS March 15

emscripten (1)

• Compiling C++ to JavaScript: Emscripten vs. Cheerp February 5

opensmtpd (1)

• Adding DKIM support to OpenSMTPD with custom filters November 9

remembear (1)

• Bogus security mechanisms: Encrypting localhost traffic April 11

signal (1)

• Does Signal’s “secure value recovery” really work? June 16

songbird (1)

• New job again September 2

soot (1)

• Setup for testing Android app vulnerabilities February 22

unity (1)

• Reverse engineering a Unity-based Android game February 18

verizon (1)

• Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9

yahoo (1)

• Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9