~lobsters | Bookmarks (160)

clear filters

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

github.com

security
2
so i guess i hacked samsung?!

crimew.gay

bug bounty cloud infosec jenkins leak
1
Attacker Techniques: Gesture Jacking

textslashplain.com

A few years back, I wrote a short explainer about User Gestures, a web platform concept...
A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in that post, gestures are a weak primitive — while checking whether t...

security web
2
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

openwall.com

security
4
False security: Dashy's client-side authentication

subract.dev

Update 3/28: The devs have announced that the auth system is to be deprecated. See details...
Update 3/28: The devs have announced that the auth system is to be deprecated. See details below.About a month ago, I went looking for a dashboard for my homelab—something to help visualize the services I run. I found Dashy, a popular (14.6k GitHub stars) dashboard designed for self-hosters. I deployed it and starte...

security
1
Introducing Ruzzy, a coverage-guided Ruby fuzzer

trailofbits.com

By Matt Schwager Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure...
By Matt Schwager Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and in Ruby C extensi...

ruby security testing
3
Matter and Privacy

seancoates.com

privacy security
2
Flatpak Permission Survey | Eric Anderson

ersoft.org

When working through yesterday’s post, half-way through I found the 2020 flatkill.org post and the TheEvilSkeleton...
When working through yesterday’s post, half-way through I found the 2020 flatkill.org post and the TheEvilSkeleton response. The response was early 2021 and felt hopeful for the future. One very different take is they were both focused on popular applications. I was focused more on productivity applications and thos...

security
1
Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques

pwning.tech

cve-2024-1086 dirty pagedirectory dirty pagetable kernelctf linux
2
How secure are passwords stored in Chrome or Firefox? | Lobsters

lobste.rs

(I thought I’d ask here rather than stackoverflow or reddit because I trust people here more,...
(I thought I’d ask here rather than stackoverflow or reddit because I trust people here more, but I don’t know if this takes the community in an unwanted direction) My main browser has been Chrome ever since they released that video showing how fast it was (https://www.youtube.com/watch?v=nCgQDjiotG0) (GOD THAT WAS 14 YEARS AGO). In a sudden bout of paranoia I decided to go back...

ask security
1
Mozilla fixes two Firefox zero-day bugs exploited at Pwn2Own

bleepingcomputer.com

Mozilla has released security updates to fix two zero-day vulnerabilities in the Firefox web browser exploited...
Mozilla has released security updates to fix two zero-day vulnerabilities in the Firefox web browser exploited during the Pwn2Own Vancouver 2024 hacking competition. Manfred Paul (@_manfp) earned a $100,000 award and 10 Master of Pwn points after exploiting an out-of-bounds (OOB) write flaw (CVE-2024-29943) to gain ...

browsers firefox mozilla pwn2own security
1
GoFetch: Breaking Constant-Time Cryptographic Implementations Using Data Memory-Dependent Prefetchers

gofetch.fail

mac security
1
Unpatchable vulnerability in Apple chip leaks secret encryption keys

arstechnica.com

hardware security
2
Arch Linux minimal container userland 100% reproducible - now what? - Arch-dev-public - lists.archlinux.org

archlinux.org

hello, in last week's email to the reproducible-builds email list[1] about reproducible Arch Linux I mentioned...
hello, in last week's email to the reproducible-builds email list[1] about reproducible Arch Linux I mentioned there's only one unreproducible package left in docker.io/library/archlinux. [1]: https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003291... Due to amazing work by dvzrv and Foxboron th...

linux security
2
More thoughts on vulnerabilities and misaligned incentives

yossarian.net

programming security
1
lcl.host: fast, easy HTTPS in your local dev environment

anchor.dev

security web
2
Read code like a pro with our weAudit VSCode extension

trailofbits.com

practices security
1
Attesting to the TPM’s Firmware

dlp.rip

Murphy’s Law says: Anything that can go wrong will go wrong. Unfortunately, TPMs fall into the...
Murphy’s Law says: Anything that can go wrong will go wrong. Unfortunately, TPMs fall into the category of “anything.” You can usually tell embedded security people apart from not-embedded security people, because the not-embedded security people will say things like “this is secure because the hardware does it for ...

hardware security
1
Guess Who's Back? Exodus Scam BitCoin Wallet Snap!

popey.com

linux security
1
Gaining kernel code execution on an MTE-enabled Pixel 8

github.blog

android security
2
Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC as Example

tsmr.eu

IT Security student and wannabe Rustacean. This is the HTML version of my term paper which...
IT Security student and wannabe Rustacean. This is the HTML version of my term paper which can be downloaded as PDF here. Introduction Fuzzing has become "one of the most effective ways" of finding bugs in software. With this or similar claims, many current fuzzing-related papers start [google-scholar]. The main goa...

reversing security
1
Moving Forward, Together

chromium.org

browsers security
1
Social Minefield

social-minefield.com

security web
1
Homepage, Claudiu-Vlad Ursache

ursache.io

security
1