Security
Collections
- Risk-Based Authentication using Auth0 Actions and Have I Been Pwned APIs
- SecurityZines - graphical way of learning concepts of Application & Web Security.
- JWT vs. Opaque Tokens - https://news.ycombinator.com/item?id=33018135
- Chromium based browsers leak user local IP via WebRTC foundation attribute
- https://news.ycombinator.com/item?id=33327678
- This can be disabled in Brave by turning "WebRTC IP handling policy" to "Disable non-Proxied UDP" in "settings - > Privacy and Security".
- WebRTC was already known to leak local IP. Which can be dangerous if you're behind a VPN.
- https://news.ycombinator.com/item?id=33327678
- PDF vulnerability
- Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
- Password requirements: myths and madness
- Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
- RIP, Passwords. Here’s What’s Coming Next.
- Oh-Auth - Abusing OAuth to take over millions of accounts
Not verifying access tokens as required by OAuth specifications allows an attacker to harvest credentials from a malicious site and hijack accounts on other trusted platforms.
- Companies embracing SMS for account logins should be blamed for SIM-swap attacks
- Second Factor SMS: Worse Than Its Reputation - Attackers can intercept SMS one-time passwords through techniques like SIM swapping or exploiting SS7 network vulnerabilities.
- Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks - "Wait, what if the user's email address isn't verified?"
- Don’t Let Your Domain Name Become a “Sitting Duck”
- NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes.
- ABC News hacks into popular robot vacuum, watches owner through camera
- Valetudo is a cloud replacement for vacuum robots enabling local-only operation.
- Attacking APIs using JSON Injection
This endpoint had no sanitization on the parameters throughout the processing of the JSON body. Moreover, the library Samsung relied on (json-c) was compiled with
JSON_TOKENER_STRICT=0, which allows for defining strings with both single and double quotes. You can read a great writeup here from Cisco TALOS. This became CVE-2018-3879, and when chained with CVE-2018-3880, had a CVSS rating of 9.9. JSON Injection → SQL Injection → Buffer Overflow → ROP = PWNED - Hundreds of code libraries posted to NPM try to install malware on dev machines
The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21:3001. While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past.
Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled.
- A phishing attack involving g.co, Google's URL shortener
- Smuggling arbitrary data through an emoji
- https://news.ycombinator.com/item?id=43023508, https://news.hada.io/topic?id=19199
- Unicode 문자열을 수용하는 시스템에서 버퍼 오버플로우를 유발할 수 있음
- LLM 출력 워터마킹에 이 기술을 사용하는 아이디어가 마음에 듦 - 99%의 복사 붙여넣기 생성기를 쉽게 잡아낼 수 있음
- Password policy recommendations for Microsoft 365 passwords > Some common approaches and their negative impacts
A comprehensive guide to the dangers of Regular Expressions in JavaScript
This article explains how certain regex patterns can cause exponential backtracking on long strings, leading to regular expression denial of service (ReDoS) vulnerabilities.
Two real world examples caused major outages at Stack Overflow and CloudFlare due to unintentionally vulnerable regex use.
The article details how issues like excessive use of wildcards, quantifiers and overlapping patterns can cause catastrophic backtracking.
It also offers techniques for testing regex safety and fixing vulnerable patterns, such as limiting matches, using string methods instead of regex, and refactoring nested groups.
Overall, the article effectively raises awareness of the ReDoS threat within seemingly benign regex code.
AI
Memo
- Since it's not been clearly stated: One attack vector might be that I step out to the bathroom for 5 minutes without locking computer, and evil hacker just dumps all my passwords before I come back.
I think it's worthwhile considering this. There's a reason why password managers ask for a master password or passkey after 10 minutes. Since I thought Chrome relied on an encrypted enclave, it isn't quite feasible to extract passwords easily even with root access.
Yes, you shouldn't leave your computer unattended. But that doesn't mean designing products that make exploiting the inevitable slipup fatal. - Microsoft Edge stores all passwords in memory in clear text, even when unused
Children