Interesting privacy evaluation of Topics API suggesting that privacy toll may be significant. This evaluation is based on a small dataset of browsing histories (n=1027). Do you think the results would hold for realistic datasets? I have some doubts (from experience of work on 200k bigger dataset). However, such evaluations of the privacy-utility tradeoff are unambiguously needed, and good. https://arxiv.org/pdf/2403.19577v1

Electron Userland just released a patch for a code signature bypass in electron-updater for Windows I found a few weeks back (CVE-2024-39698): https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq. I'll likely publish a write-up in the coming weeks, it's a fun one ;-)

At some point in the past I had outlined how "BYOVD protection" is a lie. If you're bringing your own driver, you're an admin. And if you're an admin, you can do what you want.

After much unnecessary delay, here is the second part of my blog series, which dives into the blurry lines between "vulnerable" and "not vulnerable" when it comes to Windows drivers.

TL;DR: In some future version of Windows, we may see "vulnerable driver" being able to be defined in a way that it could be protected against. But in the current world that we live in, BYOVD protection simply makes no sense.
https://vu.ls/blog/byovd-protection-is-a-lie-pt2/

Some great research from Germany. The journalists were able to get a “preview” from a data broker with locations of 11 million German advertising IDs over the period of two months. For free, no questions asked, merely claiming to be interested in buying a subscription.

The dataset appears to be compiled from multiple sources and has some quality issues: some locations are only approximate, occasional wrong timestamps, duplicate entries with different advertising IDs. Yet in many cases it is easily possible to find the person behind the movement profile and to learn details about their lives that definitely weren’t meant to be public knowledge.

That’s your installed apps (or rather advertising SDKs they are built with) selling whatever data they can get to anyone willing to pay. I wish I could recommend disabling GPS and the issue is solved. But even though GPS is the source of the most precise location data, it isn’t the only one. The data broker industry is out of control.

https://netzpolitik.org/2024/databroker-files-firma-verschleudert-36-milliarden-standorte-von-menschen-in-deutschland/

#privacy

🔴 Check out our presentation at @passthesaltcon:

Path Of rev.ng-ance: From Raw Bytes To CodeQL On Decompiled Code (30 minutes)

https://passthesalt.ubicast.tv/videos/2024-path-of-revng-ance-from-raw-bytes-to-codeql-on-decompiled-code/

Uncoordinated Vulnerability Disclosure: After more than a decade of CVD, has it benefited vendors or researchers more? Have the number of bugs increased to where vendors simply cannot cope with CVD? @TheDustinChilds has some thoughts - & lots of questions. https://www.zerodayinitiative.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd

Seiko Originals: The UC-2000, A Smartwatch from 1984

Link: https://www.namokimods.com/en-ca/blogs/namokitimes/seiko-originals-the-uc-2000-a-smartwatch-from-1984
Discussion: https://news.ycombinator.com/item?id=40969808

Yesterday I wrote a script for #Diaphora for cases in which you want to disable a set of heuristics for the current two binaries being diffed for whatever reason. Here is the example script:

https://github.com/joxeankoret/diaphora/blob/master/doc/examples/hooks/exclude_heuristics.py

I wanted to dedicate a shoutout to viewer Aaron Glaser, who reached out to share that, out of inspiration from our class "Reverse Engineering and Weaponizing XP Solitaire", he built this AWESOME minesweeper solver - Love the use of tkinter w/ Python to get that awesome visual map of the board!

Nothing makes me happier than seeing viewers go out and do great things with what they've learned!

Go check out Aaron's "Minesweeper-Memory-Reader" project for yourself:

https://github.com/AaronCodesPython/Minesweeper-Memory-Reader

And you can find that weaponizing Solitaire course here:

https://github.com/jeFF0Falltrades/Tutorials/tree/master/hacking_weaponizing_solitaire

#reverseengineering #education #computerscience

i'm excited to share Collateral Damage, a kernel exploit for SystemOS on Xbox One/Series consoles! this initial release is mostly intended for developers, but i hope people will enjoy playing around with it! writeup and more updates in the near future :) https://github.com/exploits-forsale/collateral-damage

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

From the story:

"...an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

It has been a while since I’ve written about Avast, so today I give you “How insecure is Avast Secure Browser?”

https://palant.info/2024/07/15/how-insecure-is-avast-secure-browser/

Note: This isn’t a vulnerability disclosure, merely an overview of problematic design decisions.

TL;DR from the article: I wouldn’t run Avast Secure Browser on any real operating system, only inside a virtual machine containing no data whatsoever.

Some highlights:

• Eleven pre-installed browser extensions but only two visible to users.
• Two extensions unnecessarily relax Content-Security-Policy protection.
• One of these two extensions also requesting all privileges possible, despite not actually using them.
• Two extensions accept messages from any other extension and any Avast website, the latter without enforcing HTTPS connections.
• One of these extensions, Privacy Guard (sic!), will expose information about your browser’s tabs via that messaging interface and provide updates as you browse the web.
• The “onboarding” experience is designed as an extremely flexible way to nag you into using products that benefit Avast financially.
• To make this “onboarding” work, the browser exposes internal APIs to a number of Avast domains that a huge number of third parties can put content on. Not only can each of these third parties abuse this access, a single XSS vulnerability will extend the access to any website on the internet (no effective CSP protection).

Enjoy!

#avast #avg #avira #ccleaner #securebrowser #infosec