security
2023
- Introducing PCVARK and their malicious ad blockers
- How malicious extensions hide running arbitrary code
- More malicious extensions in Chrome Web Store
- Malicious code in PDF Toolbox extension
- Online Security extension: Destroying privacy for no good reason
- Veraport: Inside Korea’s dysfunctional application management
- LastPass breach update: The few additional bits of information
- South Korea’s banking security: Intermediate conclusions
- Weakening TLS protection, South Korean style
- Password strength explained
- IPinside: Korea’s mandatory spyware
- Bitwarden design flaw: Server side iterations
- TouchEn nxKey: The keylogging anti-keylogger solution
- South Korea’s online security dead end
2022
- LastPass breach: The significance of these password iterations
- What’s in a PR statement: LastPass breach explained
- What data does LastPass encrypt?
- LastPass has been breached: What now?
- Common pitfalls of breaking up HTTPS connections
- When extension pages are web-accessible
- Attack surface of extension pages
- Impact of extension privileges
- Anatomy of a basic extension
- Hijacking webcams with Screencastify
- Adobe Acrobat hollowing out same-origin policy
- Party time: Injecting code into Teleparty extension
- Skype extension: All functionality broken? Still exploitable!
2021
- How did LastPass master passwords get compromised?
- Yes, fun browser extensions can have vulnerabilities too!
- Abusing Keepa Price Tracker to track users on Amazon pages
- Breaking Custom Cursor to p0wn the web
- Having fun with CSS injection in a browser extension
- Universal XSS in Ninja Cookie extension
- Print Friendly & PDF: Full compromise
- DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS
- How Amazon Assistant lets Amazon track your every move on the web
2020
- How anti-fingerprinting extensions tend to make fingerprinting easier
- Adding DKIM support to OpenSMTPD with custom filters
- What would you risk for free Honey?
- Dismantling BullGuard Antivirus’ online protection
- Exploiting Bitdefender Antivirus: RCE from any website
- Does Signal’s “secure value recovery” really work?
- What data does Xiaomi collect about you?
- Are Xiaomi browsers spyware? Yes, they are…
- Yahoo! and AOL: Where two-factor authentication makes your account less secure
- PSA: jQuery is bad for the security of your project
- McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges
- Insights from Avast/Jumpshot data: Pitfalls of data anonymization
- Avast’s broken data anonymization approach
- Pwning Avast Secure Browser for fun and profit
- Avast complies to respect users’ privacy
2019
- Problematic monetization in security products, Avira edition
- Rendering McAfee web protection ineffective
- More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links
- Assorted Kaspersky vulnerabilities
- Internal Kaspersky API exposed to websites
- Kaspersky: The art of keeping your keys under the door mat
- Avast Online Security and Avast Secure Browser are spying on you
- PfP: Pain-free Passwords security review
- State of the art protection in Chrome Web Store
- Kaspersky in the Middle – what could possibly go wrong?
- Recognizing basic security flaws in local password managers
- Various RememBear security issues
- Bogus security mechanisms: Encrypting localhost traffic
- Should you be concerned about LastPass uploading your passwords to its server?
2018
- BBN challenge resolution: Getting the flag from a browser extension
- If your bug bounty program is private, why do you have it?
- BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension
- Maximizing password manager attack surface: Learning from Kaspersky
- BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page”
- As far as I’m concerned, email signing/encryption is dead
- Should your next web-based login form avoid sending passwords in clear text?
- So Google is now claiming: “no one (including Google) can access your data”
- Keybase: “Our browser extension subverts our encryption, but why should we care?”
- Password managers: Please make sure AutoFill is secure!
- FTAPI SecuTransfer – the secure alternative to emails? Not quite…
- Is your LastPass data really safe in the encrypted online vault?
- Ryzom falling: Remote code execution via the in-game browser
- The ticking time bomb: Fake ad blockers in Chrome Web Store
- The Firefox Accounts authentication zoo
- Can Chrome Sync or Firefox Sync be trusted with sensitive data?
- Master password in Firefox or Thunderbird? Do not bother!
- Implementing safe sync functionality in a server-less extension
- Easy Passwords is now PfP: Pain-free Passwords
- News flash: encrypted.google.com is not special in any way
2017
- On Web Extensions shortcomings and their impact on add-on security
- Observations on managed bug bounty programs
- Revisiting permission prompt for Firefox extensions
- How bad is a buffer overflow in an Emscripten-compiled application?
- LastPass: Security done wrong
2016
- Implementing efficient PBKDF2 for the browser
- More Last Pass security vulnerabilities
- Easy Passwords moving forward – filling in user names
- Why Mozilla shouldn’t copy Chrome’s permission prompt for extensions
- Underestimated issue: Hashing passwords without salts
- Security considerations for password generators
- Why you should go with “secure by default” for your web application
2015
2014
- Please don’t use externally hosted JavaScript libraries
- Third-party JavaScript – more critical than ever
- Proxies breaking up SSL connections? Yes, all the time…
- Enforcing HTTPS connections on websites
- Extension security and add-on stores
2011
2010
- Finding security issues in a website (or: How to get paid by Google)
- One way to get outdated plugins on your computer
- The new browser security landscape
2009
- AMO getting serious about add-on security
- Getting rid of Flash cookies
- Five wrong reasons to use eval() in an extension
- Vulnerable extensions survey
- Displaying web content in an extension – without security issues
- Deobfuscating JavaScript
2008
2007
- Predictable whitelists strike again
- The hazards of MIME sniffing
- Legal implications of security research
- Usability vs. Security
- Blacklists, whitelists, and security
- Running a web server is dangerous
- Speaking of IE security…
- AMO moving into the right direction
- Firefox security: the real picture