Password strength explained

The conclusion of my blog posts on the LastPass breach and on Bitwarden’s design flaws is invariably: a strong master password is important. This is especially the case if you are a target somebody would throw considerable resources at. But everyone else might still get targeted … | Continue reading | 5 days ago

IPinside: Korea’s mandatory spyware

Note: This article is also available in Korean. On our tour of South Korea’s so-called security applications we’ve already took a look at TouchEn nxKey, an application meant to combat keyloggers by … checks notes … making keylogging easier. Today I want to shed some light on anot … | Continue reading | 11 days ago

Bitwarden design flaw: Server side iterations

In the aftermath of the LastPass breach it became increasingly clear that LastPass didn’t protect their users as well as they should have. When people started looking for alternatives, two favorites emerged: 1Password and Bitwarden. But do these do a better job at protecting sens … | Continue reading | 13 days ago

TouchEn nxKey: The keylogging anti-keylogger solution

I wrote about South Korea’s mandatory so-called security applications a week ago. My journey here started with TouchEn nxKey by RaonSecure which got my attention because the corresponding browser extension has more than 10 million users – the highest number Chrome Web Store will … | Continue reading | 27 days ago

South Korea’s online security dead end

Last September I started investigating a South Korean application with unusually high user numbers. It took me a while to even figure out what it really did, there being close to zero documentation. I eventually realized that the application is riddled with security issues and, d … | Continue reading | 1 month ago

LastPass breach: The significance of these password iterations

LastPass has been breached, data has been stolen. I already pointed out that their official statement is misleading. I also explained that decrypting passwords in the stolen data is possible which doesn’t mean however that everybody is at risk now. For assessing whether you are a … | Continue reading | 1 month ago

What’s in a PR statement: LastPass breach explained

Right before the holiday season, LastPass published an update on their breach. As people have speculated, this timing was likely not coincidental but rather intentional to keep the news coverage low. Security professionals weren’t amused, this holiday season became a very busy ti … | Continue reading | 1 month ago

What data does LastPass encrypt?

A few days ago LastPass admitted that unknown attackers copied their “vault data.” It certainly doesn’t help that LastPass failed to clarify which parts of the vaults are encrypted and which are not. LastPass support adds to the confusion by stating that password notes aren’t enc … | Continue reading | 1 month ago

LastPass has been breached: What now?

If you have a LastPass account you should have received an email updating you on the state of affairs concerning a recent LastPass breach. While this email and the corresponding blog post try to appear transparent, they don’t give you a full picture. In particular, they are rathe … | Continue reading | 1 month ago

Common pitfalls of breaking up HTTPS connections

Let me say it up front: breaking up end-to-end-encrypted HTTPS connections is bad. No matter why you think that you need to inspect and/or modify the contents of an HTTPS connection, please consider not doing it. And if you still think that you absolutely need it, please sit down … | Continue reading | 1 month ago

Scirge: When Your Employer Mandates spyware

Scirge browser extension allows employers to spy on their employees. To make matters worse, it obfuscates data transmissions. | Continue reading | 4 months ago

When extension pages are web-accessible

In the article discussing the attack surface of extension pages I said: Websites, malicious or not, cannot usually access extension pages directly however. And then I proceeded talking about extension pages as if this security mechanism were always in place. But that isn’t the ca … | Continue reading | 5 months ago

Attack surface of extension pages

In the previous article we discussed extension privileges. And as we know from another article, extension pages are the extension context with full access to these privileges. So if someone were to attack a browser extension, attempting Remote Code Execution (RCE) in an extension … | Continue reading | 5 months ago

Impact of extension privileges

As we’ve seen in the previous article, a browser extension isn’t very different from a website. It’s all the same HTML pages and JavaScript code. The code executes in the browser’s regular sandbox. So what can websites possibly gain by exploiting vulnerabilities in a browser exte … | Continue reading | 5 months ago

Anatomy of a basic extension

I am starting an article series explaining the basics of browser extension security. It’s meant to provide you with some understanding of the field and serve as a reference for my more specific articles. You can browse the extension-security-basics category to see other published … | Continue reading | 5 months ago

Hijacking webcams with Screencastify

Everyone has received the mails trying to extort money by claiming to have hacked a person’s webcam and recorded a video of them watching porn. These are a bluff of course, but the popular Screencastify browser extension actually provides all the infrastructure necessary for some … | Continue reading | 8 months ago

Adobe Acrobat hollowing out same-origin policy

Adobe Acrobat extension provided Adobe website with a way to download data from anywhere. Unsurprisingly, this power could be abused by other websites as well. | Continue reading | 9 months ago

Party time: Injecting code into Teleparty extension

Teleparty, formerly called Netflix Party, is a wildly popular browser extension with at least 10 million users on Google Chrome (likely much more as with Chrome Web Store anything beyond 10 million is displayed as “10,000,000+”) and 1 million users on Microsoft Edge. It lets peop … | Continue reading | 10 months ago

Skype extension: All functionality broken? Still exploitable!

One of the most popular Chrome extensions is Skype, a browser extension designed as a helper for the Skype application. Back when I reported the issues discussed here it was listed in Chrome Web Store with more than 10 million users, at the time of writing more than 9 million use … | Continue reading | 11 months ago

Writing my own build system: Coupling gulp concepts with modern JavaScript

I’ve been using gulp.js as the build system of choice for my browser extensions for a while. Last week I suddenly felt an urge to develop something better, and now I have PfP being built by my very own build system. Did I suddenly succumb to the NIH syndrome? Well, I believe that … | Continue reading | 12 months ago

Abusing Keepa Price Tracker to track users on Amazon pages

Two critical vulnerabilities affected users of the Keepa extension, exposing them to tracking of their Amazon shopping and even data leaks. | Continue reading | 1 year ago

Pitfalls of Data Anonymization

Analyzing a sample of Jumpshot data confirms the suspicion that Avast did indeed sell personally identifiable data of their users, lots of it. | Continue reading | 1 year ago

Data Exfiltration in Keepa Price Tracker for Amazon

The Keepa browser extension collects detailed data about your Amazon visits despite claiming otherwise in the privacy policy. It will also actively use your bandwidth to scrape the Amazon website. | Continue reading | 1 year ago

Follow-up on Amazon Assistant's data collection

A closer look at Amazon Assistant’s TitanClient component, charged with data collection. Lots of data being collected here, on Google Search and various web shops. | Continue reading | 1 year ago

DuckDuckGo Privacy Essentials Vulnerabilities

Insecure internal communication in DuckDuckGo Privacy Essentials leaked some info across domains, and an XSS vulnerability was exploitable by its server. | Continue reading | 1 year ago

Master password in Firefox or Thunderbird? Do not bother (2018)

There is a weakness common to any software letting you protect a piece of data with a password: how does that password translate into an encryption key? If that conversion is a fast one, then you better don’t expect the encryption to hold. Somebody who gets hold of that encrypted … | Continue reading | 1 year ago

What would you risk for free Honey?

The Honey browser extension allows its server to run arbitrary code on any website, via at least four different mechanisms and obfuscating the code being loaded. | Continue reading | 1 year ago

Setup for testing Android app vulnerabilities

Documenting my setup: Android emulator, minimal Android app and instrumenting the target app via Soot to get debugging info. | Continue reading | 1 year ago

Are Xiaomi browsers spyware? Yes, they are (2020)

Xiaomi browsers collect not merely your browsing history but also searches, downloads, YouTube videos watched and much more. | Continue reading | 1 year ago

Anti-fingerprinting extensions tend to make fingerprinting easier

Browser extensions claiming to protect against fingerprinting will typically result in more data available for fingerprinting. | Continue reading | 2 years ago

A grim outlook on the future of browser add-ons

Mozilla limiting users’ choice to 9 add-ons on mobile is only the latest development. Add-on support is degrading across all browsers and will continue to do so. | Continue reading | 2 years ago

Exploiting Bitdefender Antivirus: RCE from any website

A vulnerability in Bitdefender Antivirus allowed any website to run arbitrary code with user's privileges. This was caused by issues very similar to ones found in other antivirus products before. | Continue reading | 2 years ago