Stealing your browser history with the W3C Ambient Light Sensor API

A few years ago window.getComputedStyle and the like where adjusted to return the default color of links, instead of the actual color on screen.

Security and privacy were the driving factors behind that decision: by styling :visited links with a different color than their non-visited counterparts, a hacker could easily determine which sites a user has visited by simply checking the color of each link.

// @ref https://dbaron.org/mozilla/visited-privacy
var links = document.links;
for (var i = 0; i < links.length; ++i) {
    var link = links[i];
    if (getComputedStyle(link, "").color == "rgb(0, 0, 128)") {
        // we know link.href has not been visited
    } else {
        // we know link.href has been visited
    }
}

With that hole now plugged for quite some time, Lukasz Olejnik turned towards the Ambient Light Sensor API to perform a likewise hack:

Since a website can apply different styles to visited and unvisited links, but cannot detect how the links are displayed to the user, we use the sensor to identify its true color:

  1. Set link styles: visited (white), unvisited (black).
  2. Calibrate: display a white background, then follow with a black background to identify the light levels in the user’s environment; this is also possible, but more difficult, if sensor readings fluctuate significantly.
  3. Iterate through a list of links, one by one, displaying each of them in turn as a large rectangle which fills the entire screen. Visited links will show up as white, unvisited as black.
  4. Log the light levels in response to displaying each link, identifying its color. Since we calibrated the screen in step #2, we know which color each reading represents.

At the end the attacker obtains a list of links for which the screen was white and knows that the user had previously visited the given pages.

Using the same technique it's also possible read out QR codes.

Stealing sensitive browser data with the W3C Ambient Light Sensor API →

Ticket Trick: Hacking companies through their helpdesk

Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company.

First target of Init was Gitlab’s Slack channel:

Anyone with a valid @gitlab.com e-mail address can join their Slack team. At the same time, GitLab offers a feature to create issues by e-mail by sending them to a unique @gitlab.com e-mail address.

I tried to join their Slack team using this issue creating email address, just to see what would happen. I then refreshed my issue list and saw the verification e-mails added as an issue to my project:

The freshly added issue contained the magic link needed to join their internal Slack team. I clicked the link to see if it’d actually work — and it did. I was greeted by the list of channels I was able to join.

From there one it’s only a minor thing to dig through the chat history and discover links/usernames/passwords/etc.

The fix is to provide your app users with e-mail addresses using a domain different from your main one (*). Additionally verify all e-mail addresses used to sign up.

How I hacked hundreds of companies through their helpdesk →

(*) The same goes for user hosted content, hence by Github switched from username.github.com to username.github.io domains a few years ago.

DolphinAttack: Hacking Voice Assistants with Inaudible Voice Commands

About a year ago it came to my attention that voice assistants such as Siri can lead to easily exploitable security issues. As voice assistants are not aware who is talking to them, it doesn’t matter if it’s you or your neighbour shouting “Unlock the door” at ‘m …

Now a team from Zhejiang University has taken it another level by sending out voice commands at frequencies above the 20KHz limits of human ears:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

With only $3 worth of hardware one can build such a converter themselves.

A Simple Design Flaw Makes It Astoundingly Easy To Hack Siri And Alexa →

The flex-grow: 9999; hack

sketch2_w_700

Imagine a flex container (display: flex) with two flex items in a row (flex-direction: row). Item A on the left, and item B on the right. I would like the flex items to be stacked on top of each other when necessary. Item B has to jump onto the second line, if there’s not enough space for it to be at least 20 ems wide.

Now comes the tricky part. I want item A to stretch to the entire width of the container, only if the items are wrapped into multiple lines.

The – clever! – trick to getting this working is to allow both items to flex-grow, but to give item B a ridiculously high value (viz. flex-grow: 9999;)

The flex-grow: 9999; hack →

Super Mario World Flappy Bird

Remember that Super Mario World “Credits Warp”? The guy’s back, and this time he has injected the source code of Flappy Bird into Super Mario World by just playing the game:

Using various Super Mario World glitches, I injected the code for Flappy Bird

(again via Freek)

Super Mario World “Credits Warp”

Fascinating trick in which one actually reprograms Super Mario World by just playing it to make it start playing the end credits upon triggering a crash:

The goal of this run is to trick the game into playing the credits in the first level. It works by using a glitch to allow yoshi to eat a chuck, which you cannot normally do. This executes improper code and usually crashes the game. The memory addresses read during the crash can be manipulated. By spawning a p-switch in a certain order and placing it at a pixel perfect position, as well as despawning two block break sprites at a mostly pixel-perfect height, the game reads the x/y position of the sprite slots as though they were code instead of executing random code and crashing. The shells at the start of the level are spawned in these sprite slots and placed at pixel perfect positions which, when read as code, call the credits.

A much shorter run, but without any explanation, is also available.

(via Freek)

More on this Credits Warp thing:

SkyJack: autonomous drone hacking

SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take over other drones within wifi distance, creating an army of zombie drones under your control.

By Samy (yes, the Samy – author of the MySpace Samy Worm and Evercookie)

Flying hacker contraption hunts other drones, turns them into zombies →