security

2023

• Veraport: Inside Korea’s dysfunctional application management March 6
• LastPass breach update: The few additional bits of information February 28
• South Korea’s banking security: Intermediate conclusions February 20
• Weakening TLS protection, South Korean style February 6
• Password strength explained January 30
• IPinside: Korea’s mandatory spyware January 25
• Bitwarden design flaw: Server side iterations January 23
• TouchEn nxKey: The keylogging anti-keylogger solution January 9
• South Korea’s online security dead end January 2

2022

• LastPass breach: The significance of these password iterations December 28
• What’s in a PR statement: LastPass breach explained December 26
• What data does LastPass encrypt? December 24
• LastPass has been breached: What now? December 23
• Common pitfalls of breaking up HTTPS connections December 8
• When extension pages are web-accessible August 31
• Attack surface of extension pages August 24
• Impact of extension privileges August 17
• Anatomy of a basic extension August 10
• Hijacking webcams with Screencastify May 23
• Adobe Acrobat hollowing out same-origin policy April 19
• Party time: Injecting code into Teleparty extension March 14
• Skype extension: All functionality broken? Still exploitable! March 1

2021

• How did LastPass master passwords get compromised? December 29
• Yes, fun browser extensions can have vulnerabilities too! December 20
• Abusing Keepa Price Tracker to track users on Amazon pages October 5
• Breaking Custom Cursor to p0wn the web September 28
• Having fun with CSS injection in a browser extension June 28
• Universal XSS in Ninja Cookie extension May 4
• Print Friendly & PDF: Full compromise April 13
• DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS March 15
• How Amazon Assistant lets Amazon track your every move on the web March 8

2020

• How anti-fingerprinting extensions tend to make fingerprinting easier December 10
• Adding DKIM support to OpenSMTPD with custom filters November 9
• What would you risk for free Honey? October 28
• Dismantling BullGuard Antivirus’ online protection July 6
• Exploiting Bitdefender Antivirus: RCE from any website June 22
• Does Signal’s “secure value recovery” really work? June 16
• What data does Xiaomi collect about you? May 8
• Are Xiaomi browsers spyware? Yes, they are… May 4
• Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9
• PSA: jQuery is bad for the security of your project March 2
• McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges February 25
• Insights from Avast/Jumpshot data: Pitfalls of data anonymization February 18
• Avast’s broken data anonymization approach January 27
• Pwning Avast Secure Browser for fun and profit January 13
• Avast complies to respect users’ privacy January 8

2019

• Problematic monetization in security products, Avira edition December 11
• Rendering McAfee web protection ineffective December 2
• More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links November 27
• Assorted Kaspersky vulnerabilities November 27
• Internal Kaspersky API exposed to websites November 26
• Kaspersky: The art of keeping your keys under the door mat November 25
• Avast Online Security and Avast Secure Browser are spying on you October 28
• PfP: Pain-free Passwords security review September 26
• State of the art protection in Chrome Web Store September 9
• Kaspersky in the Middle – what could possibly go wrong? August 19
• Recognizing basic security flaws in local password managers August 12
• Various RememBear security issues July 8
• Bogus security mechanisms: Encrypting localhost traffic April 11
• Should you be concerned about LastPass uploading your passwords to its server? March 18

2018

• BBN challenge resolution: Getting the flag from a browser extension December 17
• If your bug bounty program is private, why do you have it? December 10
• BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension December 10
• Maximizing password manager attack surface: Learning from Kaspersky November 30
• BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page” November 28
• As far as I’m concerned, email signing/encryption is dead November 12
• Should your next web-based login form avoid sending passwords in clear text? October 25
• So Google is now claiming: “no one (including Google) can access your data” October 15
• Keybase: “Our browser extension subverts our encryption, but why should we care?” September 6
• Password managers: Please make sure AutoFill is secure! August 29
• FTAPI SecuTransfer – the secure alternative to emails? Not quite… July 11
• Is your LastPass data really safe in the encrypted online vault? July 9
• Ryzom falling: Remote code execution via the in-game browser May 18
• The ticking time bomb: Fake ad blockers in Chrome Web Store April 18
• The Firefox Accounts authentication zoo March 27
• Can Chrome Sync or Firefox Sync be trusted with sensitive data? March 13
• Master password in Firefox or Thunderbird? Do not bother! March 10
• Implementing safe sync functionality in a server-less extension March 8
• Easy Passwords is now PfP: Pain-free Passwords February 7
• News flash: encrypted.google.com is not special in any way January 13

2017

• On Web Extensions shortcomings and their impact on add-on security November 11
• Observations on managed bug bounty programs October 4
• Revisiting permission prompt for Firefox extensions August 5
• How bad is a buffer overflow in an Emscripten-compiled application? April 23
• LastPass: Security done wrong March 23

2016

• Implementing efficient PBKDF2 for the browser October 25
• More Last Pass security vulnerabilities September 16
• Easy Passwords moving forward – filling in user names September 5
• Why Mozilla shouldn’t copy Chrome’s permission prompt for extensions July 2
• Underestimated issue: Hashing passwords without salts May 4
• Security considerations for password generators April 20
• Why you should go with “secure by default” for your web application March 2

2015

• Why you probably want to disable jQuery.parseHTML even though you don’t call it August 30

2014

• Please don’t use externally hosted JavaScript libraries June 30
• Third-party JavaScript – more critical than ever June 27
• Proxies breaking up SSL connections? Yes, all the time… May 27
• Enforcing HTTPS connections on websites March 30
• Extension security and add-on stores February 25

2011

• Google Chrome and pre-installed web apps November 15

2010

• Finding security issues in a website (or: How to get paid by Google) December 11
• One way to get outdated plugins on your computer January 28
• The new browser security landscape January 26

2009

• AMO getting serious about add-on security November 14
• Getting rid of Flash cookies March 2
• Five wrong reasons to use eval() in an extension February 6
• Vulnerable extensions survey February 5
• Displaying web content in an extension – without security issues January 28
• Deobfuscating JavaScript January 12

2008

• HTTP Referer header won’t help you with CSRF May 21
• Vulnerability or feature? February 6

2007

• Predictable whitelists strike again November 5
• The hazards of MIME sniffing April 29
• Legal implications of security research April 8
• Usability vs. Security March 24
• Blacklists, whitelists, and security March 15
• Running a web server is dangerous January 17
• Speaking of IE security… January 12
• AMO moving into the right direction January 12
• Firefox security: the real picture January 5

2006

• No good deed goes unpunished December 3
• What happened to the promised spam solution? November 23
• “Don’t mail us unless you are in the US” August 6