Categories
security (106)
- Impact of extension privileges
- Anatomy of a basic extension
- Hijacking webcams with Screencastify
- Adobe Acrobat hollowing out same-origin policy
- Party time: Injecting code into Teleparty extension
- Read More »
mozilla (51)
- What would you risk for free Honey?
- A grim outlook on the future of browser add-ons
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Dear Mozilla, please stop spamming!
- Google to developers: We take down your extension, because we can
- Read More »
off-topic (29)
- Präsentation über Digitalisierung und soziale Interaktion
- Validating news stories: Syrian oil
- Don’t forget to check the facts – because nobody else will
- Closed my LinkedIn account
- Random thoughts on democracy and Russian presidential election
- Read More »
password-managers (22)
- How did LastPass master passwords get compromised?
- PfP: Pain-free Passwords security review
- Recognizing basic security flaws in local password managers
- Various RememBear security issues
- Bogus security mechanisms: Encrypting localhost traffic
- Read More »
privacy (22)
- Abusing Keepa Price Tracker to track users on Amazon pages
- Data exfiltration in Keepa Price Tracker
- Follow-up on Amazon Assistant’s data collection
- DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS
- How Amazon Assistant lets Amazon track your every move on the web
- Read More »
gecko (17)
- Easy Passwords released as a Web Extension
- Is undetectable ad blocking possible?
- Introducing Easy Passwords: the new best way to juggle all those passwords
- Using WebExtensions APIs in a “classic” extension
- A systematic approach to MDN documentation?
- Read More »
add-ons (16)
- Hijacking webcams with Screencastify
- Adobe Acrobat hollowing out same-origin policy
- Party time: Injecting code into Teleparty extension
- Skype extension: All functionality broken? Still exploitable!
- Yes, fun browser extensions can have vulnerabilities too!
- Read More »
antivirus (16)
- Dismantling BullGuard Antivirus’ online protection
- Exploiting Bitdefender Antivirus: RCE from any website
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Avast’s broken data anonymization approach
- Read More »
pfp (10)
- Writing my own build system: Coupling gulp concepts with modern JavaScript
- PfP: Pain-free Passwords security review
- Implementing safe sync functionality in a server-less extension
- Easy Passwords is now PfP: Pain-free Passwords
- Easy Passwords released as a Web Extension
- Read More »
xul (10)
- XULRunner in large projects, part 4: Localization pitfalls
- XULRunner in large projects, part 3: Bugs, bugs, and more bugs
- XULRunner in large projects, part 2: Why XULRunner isn’t like Java
- XULRunner in large projects, part 1: What is that “XULRunner” thingy, anyway?
- AMO getting serious about add-on security
- Read More »
adblock-plus (9)
- Links for my SINFO 25 presentation
- Taking a break from Adblock Plus development
- How bad is a buffer overflow in an Emscripten-compiled application?
- Is undetectable ad blocking possible?
- Which is better, Adblock or Adblock Plus?
- Read More »
private (9)
email (7)
- Adding DKIM support to OpenSMTPD with custom filters
- Yahoo! and AOL: Where two-factor authentication makes your account less secure
- Dear Mozilla, please stop spamming!
- How much privacy do you have left on the web?
- As far as I’m concerned, email signing/encryption is dead
- Read More »
avast (6)
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Avast’s broken data anonymization approach
- Pwning Avast Secure Browser for fun and profit
- Avast complies to respect users’ privacy
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Read More »
kaspersky (6)
- More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links
- Assorted Kaspersky vulnerabilities
- Internal Kaspersky API exposed to websites
- Kaspersky: The art of keeping your keys under the door mat
- Kaspersky in the Middle – what could possibly go wrong?
- Read More »
google (5)
- What would you risk for free Honey?
- A grim outlook on the future of browser add-ons
- Mozilla and Opera remove Avast extensions from their add-on stores, what will Google do?
- Google to developers: We take down your extension, because we can
- The ticking time bomb: Fake ad blockers in Chrome Web Store
lastpass (5)
- How did LastPass master passwords get compromised?
- Should you be concerned about LastPass uploading your passwords to its server?
- Is your LastPass data really safe in the encrypted online vault?
- LastPass: Security done wrong
- More Last Pass security vulnerabilities
challenge (3)
- BBN challenge resolution: Getting the flag from a browser extension
- BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension
- BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
hugo (3)
- Added Webmention support to the blog
- The easier way to use lunr search with Hugo
- Switching my blog to a static site generator
os-x (3)
- Safari extension format (.safariextz) explained
- Crazy hacks: Changing Wine key mappings on Mac OS X
- Solution to a problem nobody has: Changing Total Commander application icon
tomtom (3)
website (3)
- Added Webmention support to the blog
- The easier way to use lunr search with Hugo
- Switching my blog to a static site generator
addons (2)
amazon (2)
- Follow-up on Amazon Assistant’s data collection
- How Amazon Assistant lets Amazon track your every move on the web
android (2)
crypto (2)
- Does Signal’s “secure value recovery” really work?
- Should your next web-based login form avoid sending passwords in clear text?
extension-security-basics (2)
jquery (2)
- PSA: jQuery is bad for the security of your project
- Why you probably want to disable jQuery.parseHTML even though you don’t call it
jsdeobfuscator (2)
keepa (2)
mcafee (2)
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Rendering McAfee web protection ineffective
reverse-engineering (2)
wine (2)
- Crazy hacks: Changing Wine key mappings on Mac OS X
- Solution to a problem nobody has: Changing Total Commander application icon