Warning: Do not accept plain user IDs, such as those you can get with the GoogleUser.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.

It would have been fantastic to eschew this ridiculousness, because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand.

a class of attacks that were enabled by Privacy Badger’s learning. Essentially, since Privacy Badger adapts its behavior based on the way that sites you visit behave, a dedicated attacker could manipulate the way Privacy Badger acts: what it blocks and what it allows. In theory, this can be used to identify users (a form of fingerprinting) or to extract some kinds of information from the pages they visit

Using an implicit intent to start a service is a security hazard because you can't be certain what service will respond to the intent, and the user can't see which service starts. Beginning with Android 5.0 (API level 21), the system throws an exception if you call bindService() with an implicit intent.

My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.

JSONP is a relic of the past and shouldn’t be used due to numerous limitations (e.g., being able to send GET requests only) and many security concerns (e.g., the server can respond with whatever JavaScript code it wants — not necessarily the one we expect — which then has access to everything in the context of the window, including localStorage and cookies).

This is addressing a security issue; and the associated threat model is "as an attacker, I know that you are going to do FROM ubuntu and then RUN apt-get update in your build, so I'm going to trick you into pulling an image that ​_pretents_​ to be the result of ubuntu + apt-get update so that next time you build, you will end up using my fake image as a cache, instead of the legit one." With that in mind, we can start thinking about an alternate solution that doesn't compromise security.

So let's say we pull down evil/foo which is FROM ubuntu followed by RUN apt-get update except with a small surprise included in the image. Subsequent builds using those same commands will be compromised.

More than two billion users exchange an unimaginable volume of end-to-end encrypted messages on WhatsApp each day. And unless an endpoint (phone) is compromised, or those chats are backed-up into accessible cloud platforms, neither owner Facebook nor law enforcement has a copy of those encryption keys.

First, the recognition that sensitive information needs to be transmitted securely over instant messaging platforms plays into the hands of the privacy advocates who are against backdoors in the end-to-end encryption used on WhatsApp, Signal, Wickr, iMessage and others. The core argument from the privacy lobby is that a backdoor will almost certainly be exploited by bad actors. Clearly, the EU (and others) would not risk their own comms with such a vulnerability.

Although WhatsApp has become the messaging platform of choice for many politicians and civil servants worldwide, there have been enough stories of potential vulnerabilities and hacks to spook people into adopting something else.

“End-to-end encryption” sounds nice — but if anyone can get into your phone’s operating system, they will be able to read your messages without having to decrypt them.

This is also useful for anyone that doesn't normally have root access but would like to easily become root on your host.

You see entropy is information leaking. When it comes to passwords (and secure systems in general) you want to leak as little information as possible. Otherwise an attacker has information they can use to their advantage.

The fact is that it doesn’t matter if you can see the threat or not, and it doesn’t matter if the flaw ever leads to a vulnerability. You just always follow the core rules and everything else seems to fall into place.

While KeeFarce is specifically designed to target KeePass password manager, it is possible that developers can create a similar tool that takes advantage of a compromised machine to target virtually every other password manager available today.

KeeFarce obtains passwords by leveraging a technique called DLL (Dynamic Link Library) injection, which allows third-party apps to tamper with the processes of another app by injecting an external DLL code.

The time in which the first string part remains in the clipboard is minimal. It is copied to the clipboard, pasted into the target application and immediately cleared. This process usually takes only a few milliseconds at maximum.

TOTP values can be phished like passwords, though this requires attackers to proxy the credentials in real time