Long overdue: HTTPS for the App Store

Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Early March Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users. This post discuss the vulnerabilities […]

Sandboxed iframes

<iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> The sandbox attribute of the iframe element allows us to tighten the restrictions on framed content. We can instruct the browser to load a specific frame’s content in a low-privilege environment, allowing only the subset of capabilities necessary to do whatever work needs doing. Play […]

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Mat Honan, who’s digital life was destroyed this summer, on passwords The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on […]

How Apple and Amazon Security Flaws Led to My Epic Hacking

Mat Honan’s digital life was destroyed: His Google account, Twitter Account, Apple account, … all were gone. Along with that all of his iDevices were remotely wiped by the hackers. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Information […]

Facebook flaw allows access to private photos

Looks like the newly appointed Facebook Chief Privacy Officers have some explaining to do: Users are able to report “inappropriate profile photos” on a user’s profile. By checking the box “nudity or pornography”, the user is granted an opportunity to help Facebook “take action by selecting additional photos to include with your report”. Facebook will […]