Forgot your password?

+ - "Rosetta Flash" attack leverages JSONP callbacks to steal cookies!->

Submitted by newfurniturey
newfurniturey (3524449) writes "A new Flash and JSONP attack combination has been revealed to the public today dubbed the "Rosetta Flash" attack..

JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the "Rosetta Stone" attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the site being targeted bypassing all Same-Origin policies in place.

Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack; however, several were patched prior to the public release and Tumblr has patched within hours of the release."

Link to Original Source

Comment: Comments based on experience? (Score 0) 516

by newfurniturey (#47154059) Attached to: Microsoft Won't Bring Back the Start Menu Until 2015

When Microsoft first announced Windows 8, the bashing began (as usual and expected). "Metro's bad", "no Start Menu", yada yada.

Now, fast forward to today - Windows 8.1 and still no Start Menu. Is it really that bad? How many users that are commenting here, complaining about it, have actually tried it? Does it truly hinder your ability to use the computer?

I, for one, have not tried Windows 8. Not because I don't like the idea of it but because I'm still on Windows 7 and have no need to actually upgrade yet. However, I have *seen* both PCs and laptops with Windows 8 (neither with touch screen) and it actually looked pretty good. Both switched from the Metro-giant-buttons screen over to the desktop and it looked like a normal computer with a normal version of Windows on it, nothing crazy.

The primary reason I'm not going to issue a complaint about the "no Start Menu" isn't because I haven't actually tried Windows 8 and dislike it, it's because as an actual "power user" of Windows, I don't use the Start Menu that much. WinKey+R to run whatever I need, main apps pinned to the taskbar, "My Computer" / "Documents" icons available on the desktop - everything one double-click away. My linux boxes are quite similar (except the WinKey+R, of course =P).

Are there any users out there that actually had their "experience" ruined because they didn't have a Start Menu and, if so, why / how?

Comment: Not too convincing... (Score 4, Insightful) 60

by newfurniturey (#47082879) Attached to: Severe Vulnerability At eBay's Website

The linked article has zero information regarding this attack and instead focuses on eBay's attack history; once more, it also links to it's own eBay page so +1 for that.

The one hint it does include is a picture and in the picture you can see that the JavaScript is being inserted into the title of the listing (not sure if that's the actual vulnerability or not though). However, as a security researcher, showing a PoC against a large company requires more than a simple alert(1) and instead should use something such as alert(document.domain). The reason for document.domain is because it will show what hostname the JavaScript is executing under - which means everything when it comes to security.

If this is really an XSS hole and eBay comes back with "it's not that bad", there's a good chance that the JavaScript is executing in an iframe on a separate domain which means attackers would not have important access such as a user's cookies / etc. Instead, they'll only be able to execute arbitrary JavaScript (which is bad, but nothing worse than setting up a bad domain and using SEO tricks to drive traffic to it).

Can anyone find a more relevant article that spills out the actual details of this, or maybe one that includes the actual PoC this researcher has created?

+ - Tumblr, joining the ranks with full SSL

Submitted by newfurniturey
newfurniturey (3524449) writes "Hopping on the privacy train, Tumblr. now offers opt-in SSL to all users. Their directly-to-the-point Staff post is worded to attract as many users as possible, tech-friendly or not, to the adoption of enabling SSL for the site:

You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard. Just head over to your Account Settings and flip the switch.

"Any reason I shouldn’t do this?" Nope, not really. It doesn’t change anything about the dashboard, it just encrypts your connection to it. We’ve been using it for weeks and haven’t even noticed. So, yeah, turn it on and forget about it. Easy.


Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten