security

2023

A year after the disastrous breach, LastPass has not improved September 5
Why browser extension games need access to all websites June 14
Another cluster of potentially malicious Chrome extensions June 8
Introducing PCVARK and their malicious ad blockers June 5
How malicious extensions hide running arbitrary code June 2
More malicious extensions in Chrome Web Store May 31
Malicious code in PDF Toolbox extension May 16
Online Security extension: Destroying privacy for no good reason May 10
Veraport: Inside Korea’s dysfunctional application management March 6
LastPass breach update: The few additional bits of information February 28
South Korea’s banking security: Intermediate conclusions February 20
Weakening TLS protection, South Korean style February 6
Password strength explained January 30
IPinside: Korea’s mandatory spyware January 25
Bitwarden design flaw: Server side iterations January 23
TouchEn nxKey: The keylogging anti-keylogger solution January 9
South Korea’s online security dead end January 2

2022

LastPass breach: The significance of these password iterations December 28
What’s in a PR statement: LastPass breach explained December 26
What data does LastPass encrypt? December 24
LastPass has been breached: What now? December 23
Common pitfalls of breaking up HTTPS connections December 8
When extension pages are web-accessible August 31
Attack surface of extension pages August 24
Impact of extension privileges August 17
Anatomy of a basic extension August 10
Hijacking webcams with Screencastify May 23
Adobe Acrobat hollowing out same-origin policy April 19
Party time: Injecting code into Teleparty extension March 14
Skype extension: All functionality broken? Still exploitable! March 1

2021

How did LastPass master passwords get compromised? December 29
Yes, fun browser extensions can have vulnerabilities too! December 20
Abusing Keepa Price Tracker to track users on Amazon pages October 5
Breaking Custom Cursor to p0wn the web September 28
Having fun with CSS injection in a browser extension June 28
Universal XSS in Ninja Cookie extension May 4
Print Friendly & PDF: Full compromise April 13
DuckDuckGo Privacy Essentials vulnerabilities: Insecure communication and Universal XSS March 15
How Amazon Assistant lets Amazon track your every move on the web March 8

2020

How anti-fingerprinting extensions tend to make fingerprinting easier December 10
Adding DKIM support to OpenSMTPD with custom filters November 9
What would you risk for free Honey? October 28
Dismantling BullGuard Antivirus’ online protection July 6
Exploiting Bitdefender Antivirus: RCE from any website June 22
Does Signal’s “secure value recovery” really work? June 16
What data does Xiaomi collect about you? May 8
Are Xiaomi browsers spyware? Yes, they are… May 4
Yahoo! and AOL: Where two-factor authentication makes your account less secure March 9
PSA: jQuery is bad for the security of your project March 2
McAfee WebAdvisor: From XSS in a sandboxed browser extension to administrator privileges February 25
Insights from Avast/Jumpshot data: Pitfalls of data anonymization February 18
Avast’s broken data anonymization approach January 27
Pwning Avast Secure Browser for fun and profit January 13
Avast complies to respect users’ privacy January 8

2019

Problematic monetization in security products, Avira edition December 11
Rendering McAfee web protection ineffective December 2
More Kaspersky vulnerabilities: uninstalling extensions, user tracking, predictable links November 27
Assorted Kaspersky vulnerabilities November 27
Internal Kaspersky API exposed to websites November 26
Kaspersky: The art of keeping your keys under the door mat November 25
Avast Online Security and Avast Secure Browser are spying on you October 28
PfP: Pain-free Passwords security review September 26
State of the art protection in Chrome Web Store September 9
Kaspersky in the Middle – what could possibly go wrong? August 19
Recognizing basic security flaws in local password managers August 12
Various RememBear security issues July 8
Bogus security mechanisms: Encrypting localhost traffic April 11
Should you be concerned about LastPass uploading your passwords to its server? March 18

2018

BBN challenge resolution: Getting the flag from a browser extension December 17
If your bug bounty program is private, why do you have it? December 10
BBN challenge resolution: Exploiting the Screenshotter.PRO browser extension December 10
Maximizing password manager attack surface: Learning from Kaspersky November 30
BBN challenge resolutions: “A properly secured parameter” and “Exploiting a static page” November 28
As far as I’m concerned, email signing/encryption is dead November 12
Should your next web-based login form avoid sending passwords in clear text? October 25
So Google is now claiming: “no one (including Google) can access your data” October 15
Keybase: “Our browser extension subverts our encryption, but why should we care?” September 6
Password managers: Please make sure AutoFill is secure! August 29
FTAPI SecuTransfer – the secure alternative to emails? Not quite… July 11
Is your LastPass data really safe in the encrypted online vault? July 9
Ryzom falling: Remote code execution via the in-game browser May 18
The ticking time bomb: Fake ad blockers in Chrome Web Store April 18
The Firefox Accounts authentication zoo March 27
Can Chrome Sync or Firefox Sync be trusted with sensitive data? March 13
Master password in Firefox or Thunderbird? Do not bother! March 10
Implementing safe sync functionality in a server-less extension March 8
Easy Passwords is now PfP: Pain-free Passwords February 7
News flash: encrypted.google.com is not special in any way January 13

2017

On Web Extensions shortcomings and their impact on add-on security November 11
Observations on managed bug bounty programs October 4
Revisiting permission prompt for Firefox extensions August 5
How bad is a buffer overflow in an Emscripten-compiled application? April 23
LastPass: Security done wrong March 23

2016

Implementing efficient PBKDF2 for the browser October 25
More Last Pass security vulnerabilities September 16
Easy Passwords moving forward – filling in user names September 5
Why Mozilla shouldn’t copy Chrome’s permission prompt for extensions July 2
Underestimated issue: Hashing passwords without salts May 4
Security considerations for password generators April 20
Why you should go with “secure by default” for your web application March 2

2015

Why you probably want to disable jQuery.parseHTML even though you don’t call it August 30

2014

Please don’t use externally hosted JavaScript libraries June 30
Third-party JavaScript – more critical than ever June 27
Proxies breaking up SSL connections? Yes, all the time… May 27
Enforcing HTTPS connections on websites March 30
Extension security and add-on stores February 25

2011

Google Chrome and pre-installed web apps November 15

2010

Finding security issues in a website (or: How to get paid by Google) December 11
One way to get outdated plugins on your computer January 28
The new browser security landscape January 26

2009

AMO getting serious about add-on security November 14
Getting rid of Flash cookies March 2
Five wrong reasons to use eval() in an extension February 6
Vulnerable extensions survey February 5
Displaying web content in an extension – without security issues January 28
Deobfuscating JavaScript January 12

2008

HTTP Referer header won’t help you with CSRF May 21
Vulnerability or feature? February 6

2007

Predictable whitelists strike again November 5
The hazards of MIME sniffing April 29
Legal implications of security research April 8
Usability vs. Security March 24
Blacklists, whitelists, and security March 15
Running a web server is dangerous January 17
Speaking of IE security… January 12
AMO moving into the right direction January 12
Firefox security: the real picture January 5

2006

No good deed goes unpunished December 3
What happened to the promised spam solution? November 23
“Don’t mail us unless you are in the US” August 6