-
Put.io API design issues - I can haz your files
August 10, 2015
Put.io is a great torrent cloud storage service that allows to almost instantly stream videos you download from a Torrent. Their API is pretty powerful, and allows easy integration in software, browser extensions and plugins for multimedia appliances. I was reading its documentation and unfortunately quickly found out that the design was open to sensitive data exfiltration by just making an unsuspecting logged-in user visit a malicious web page. …
-
The power of DNS rebinding: stealing WiFi passwords with a website
April 20, 2015
DNS rebinding attacks are known since a long time as useful tools in the hands of attackers for subverting the browser Same-origin policy. The attack abuses DNS, changing the IP address of a website after serving the page contents, usually with some ad-hoc Javascript payload, tricking the browser into waiting some time for the DNS cache to invalidate and perform other requests, still believing it is connecting to the same host, while in reality it is now communicating with a new IP chosen by the attacker. As a result, the attacker can access internal services, exfiltrate information and do other nasty stuff. …
-
Adobe fixed Rosetta Flash today
August 15, 2014
Adobe pushed a tentative fix for Rosetta Flash in Flash Player 14 beta codename Lombard (version 14.0.0.125, release notes) and finalized the fix in the next release, version 14.0.0.145, on July 8, 2014. …
-
Abusing JSONP with Rosetta Flash
July 8, 2014
In this blog post I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. This is a XSRF bypassing Same Origin Policy. …
-
XSS in Zagat, exploiting a XOR-based obfuscation algorithm
February 16, 2014
This is a very interesting vulnerability I internally reported, and is now fixed. I find it interesting because it is not the usual XSS, but it exploits a XOR-based obfuscation algorithm of a user-controlled input. …
-
Mailbox.app Javascript execution
September 24, 2013
Mailbox.app is a free email management application for iOS that offers very cool features to achieve Inbox Zero. Mailbox.app up to version 1.6.2 (current version at date, Sept. 25 2013) executes any Javascript which is present in the body of HTML emails. …
-
My experience with Google interviews and why it is different from Facebook's
September 18, 2013
Interviewing for a technical job is hard, and companies do not interview candidates the same way. In this post, I would like to express my personal feelings about two interviewing processes in particular: Google and Facebook. …
-
XSRF and Cookie manipulation on google.com
September 15, 2013
Here I present a (reported and fixed) XSRF and Cookie manipulation vulnerability I discovered in google.com, requiring no user interaction. It was possible to set arbitrary cookies and tamper with existing ones. …
-
XSS in Google Finance
July 30, 2013
Here I present a XSS vulnerability I discovered in google.com, requiring no user interaction. …
-
Stored XSS in GMail
July 8, 2013
Here I present a (reported and fixed) Stored XSS vulnerability I discovered in mail.google.com, which required no user interaction. …