Stealing Usernames, Passwords, and other (Personal) Data via Browsers and NPM Packages

👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Late 2016, Stoyan Stefanov published “Oversharing with the browser’s autofill”. It’s an article on stealing personal data using the browsers their form autofill feature. The attack works by leveraging abusing the fact that autocompletion […]

Stealing your browser history with the W3C Ambient Light Sensor API

A few years ago window.getComputedStyle and the like where adjusted to return the default color of links, instead of the actual color on screen. Security and privacy were the driving factors behind that decision: by styling :visited links with a different color than their non-visited counterparts, a hacker could easily determine which sites a user […]

favicon.ico and redirect links as a privacy leak

Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you’re signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too. The attack works by loading in a website’s redirect script, with its favicon […]

How you can use Facebook to track your friends’ sleeping habits

“lastActiveTimes”: { “3443534”: 1456065265, “675631492”: 1456066386, “8657643”: 1456062331, “255277634”: 1456052450, “6423324”: 1456065173, “235323452”: 1456065096, “3265233223”: 1456066381, “2432885644”: 1456064016, “7464340313”: 1456062500 } In the HTML source code of Messenger.com you can find an object containing userids associated with timestamps of last activity – as shown above. Given this it’s really easy to scrape and combine this […]

Your Face is Big Data

Interesting project by Russian photographer Egor Tsvetkov in which he took photos of random, anonymous, people riding the subway, and then running them through a face recognition app named FindFace. The result: 70% of those photographed could be linked to one or social network profiles of ‘m, thus un-anonymizing them. End of anonymity: Identification of […]

Collusion – See who’s tracking you online

Collusion is an experimental add-on for Firefox and allows you to see all the third parties that are tracking your movements across the Web. It will show, in real time, how that data creates a spider-web of interaction between companies and other trackers. A neat demo/datavisualization is also available, in case you don’t want to […]

Google Drive’s Privacy Policy

Google Drive’s Privacy Policy compared to the other players out there. In short, Google is giving itself all the permissions it could possibly need to run all of Google services, with the specific limitations that it doesn’t own anything you upload and it can’t use your data beyond running its services. Also: Dropbox’s language is […]