TIP: Enable Two Factor Authentication (2FA) with your NPM account

Since early October it’s possible to enable Two Factor Authentication with your NPM account. 2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials. This is one of the easiest and most important ways to ensure that only you can access […]

Ticket Trick: Hacking companies through their helpdesk

Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company. First target of Init was Gitlab’s Slack channel: Anyone with a valid @gitlab.com e-mail address can join their Slack team. At the same time, GitLab offers […]

DolphinAttack: Hacking Voice Assistants with Inaudible Voice Commands

About a year ago it came to my attention that voice assistants such as Siri can lead to easily exploitable security issues. As voice assistants are not aware who is talking to them, it doesn’t matter if it’s you or your neighbour shouting “Unlock the door” at ‘m … Now a team from Zhejiang University […]

Keystroke Recognition Using WiFi Signals

We’re all doomed: In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types […]

Google Chrome, Firefox Address Bar Spoofing Vulnerability

Turns out one single right-to-left character in a URL can make the omnibox (Address Bar) freak out, and render it wrongly: Placing neutral characters such as “/”, “ا” in filepath causes the URL to be flipped and displayed from Right To Left. In order for the URL to be spoofed the URL must begin with […]

PHP HTTP Public-Key-Pinning Builder

HTTP Public-Key-Pinning Builder aims to make it easy to build HTTP Public-Key-Pinning headers in your PHP projects. As so: <?php use \ParagonIE\HPKPBuilder\HPKPBuilder; $hpkp = HPKPBuilder::fromFile('/path/to/source.json'); $hpkp->sendHPKPHeader(); { "hashes": [ { "algo": "sha256", "hash": "hwGEkxDWJ2oHtKv6lsvylKvhotXAAZQR1e0nq0eb2Vw=" }, { "algo": "sha256", "hash": "0jum0Eiu4Eg6vjn3zTmyd/RobfN6e4EagFQcz6E5ZKI=" } ], "include-subdomains": false, "max-age": 5184000, "report-only": false, "report-uri": null } HTTP Public-Key-Pinning Builder →HTTP […]

WordPress 4.2 Stored XSS

Earlier this week WordPress 4.1.3. It fixed an XSS exploit discovered by a former student of mine. This week a new exploit – even in the new WordPress versions, including 4.2 – was uncovered. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. If triggered […]


Run a free test of a website’s HTTP headers and learn how it performs from a security perspective! Checks for the following headers and their values: Access Control Allow Origin Content Security Policy Cross Domain Meta Policy NoSniff Server Information Strict Transport Security UTF-8 Character Encoding X-Frame-Options X-Powered-By X-XSS-Protection SecurityHeaders.com →