About Miki

  • Put.io API design issues - I can haz your files

    August 10, 2015

    Put.io is a great torrent cloud storage service that allows to almost instantly stream videos you download from a Torrent. Their API is pretty powerful, and allows easy integration in software, browser extensions and plugins for multimedia appliances. I was reading its documentation and unfortunately quickly found out that the design was open to sensitive data exfiltration by just making an unsuspecting logged-in user visit a malicious web page. …

  • The power of DNS rebinding: stealing WiFi passwords with a website

    April 20, 2015

    DNS rebinding attacks are known since a long time as useful tools in the hands of attackers for subverting the browser Same-origin policy. The attack abuses DNS, changing the IP address of a website after serving the page contents, usually with some ad-hoc Javascript payload, tricking the browser into waiting some time for the DNS cache to invalidate and perform other requests, still believing it is connecting to the same host, while in reality it is now communicating with a new IP chosen by the attacker. As a result, the attacker can access internal services, exfiltrate information and do other nasty stuff. …

  • Adobe fixed Rosetta Flash today

    August 15, 2014

    Adobe pushed a tentative fix for Rosetta Flash in Flash Player 14 beta codename Lombard (version 14.0.0.125, release notes) and finalized the fix in the next release, version 14.0.0.145, on July 8, 2014. …

  • Abusing JSONP with Rosetta Flash

    July 8, 2014

    In this blog post I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. This is a XSRF bypassing Same Origin Policy. …

  • XSS in Zagat, exploiting a XOR-based obfuscation algorithm

    February 16, 2014

    This is a very interesting vulnerability I internally reported, and is now fixed. I find it interesting because it is not the usual XSS, but it exploits a XOR-based obfuscation algorithm of a user-controlled input. …

  • Mailbox.app Javascript execution

    September 24, 2013

    Mailbox.app is a free email management application for iOS that offers very cool features to achieve Inbox Zero. Mailbox.app up to version 1.6.2 (current version at date, Sept. 25 2013) executes any Javascript which is present in the body of HTML emails. …

  • My experience with Google interviews and why it is different from Facebook's

    September 18, 2013

    Interviewing for a technical job is hard, and companies do not interview candidates the same way. In this post, I would like to express my personal feelings about two interviewing processes in particular: Google and Facebook. …

  • XSRF and Cookie manipulation on google.com

    September 15, 2013

    Here I present a (reported and fixed) XSRF and Cookie manipulation vulnerability I discovered in google.com, requiring no user interaction. It was possible to set arbitrary cookies and tamper with existing ones. …

  • XSS in Google Finance

    July 30, 2013

    Here I present a XSS vulnerability I discovered in google.com, requiring no user interaction. …

  • Stored XSS in GMail

    July 8, 2013

    Here I present a (reported and fixed) Stored XSS vulnerability I discovered in mail.google.com, which required no user interaction. …

  • 1
  • 2
Twitter GitHub