Google Chrome and pre-installed web apps · 2011-11-15 09:47 by Wladimir Palant

Google recently launched a redesigned version of its Web Store where one can install extensions and web apps. One particular feature caught my attention: it marks the extensions that you already have with a check mark. How does the web page know which extensions you have installed?

Read more Comment [11]

Tags:

Details on the resolved Adblock Plus for Chrome security issue · 2011-08-17 12:55 by Wladimir Palant

Adblock Plus 1.1.4 for Google Chrome has been released today and fixes a minor security issue. This blog post provides some details.

Read more Comment

Tags:

Finding security issues in a website (or: How to get paid by Google) · 2010-12-11 01:40 by Wladimir Palant

I received a payment over $2,500 from Google today. Now the conspiracy theorists among you can go off and rant in all forums that Adblock Plus is sponsored by Google and can no longer be trusted. For those of you who are still with me: the money came though Google’s Vulnerability Reward Program. Recently Google extended the scope of the program to web applications. I took up the challenge and sure enough, in a few hours I found four vulnerabilities in various corners of google.com.

Read more Comment [11]

Tags:

The wrong way to deal with privacy concerns · 2010-05-26 14:30 by Wladimir Palant

Generally, I am not the guy to pick on Google. I think that they usually bring out very solid (often brilliant) solutions and do a good job on the privacy front (meaning: far from perfect but significantly better than the competition). All the more surprising was their release of the Google Analytics Opt-out Browser Add-on which doesn’t quite live up to the expected quality.

Read more Comment [11]

Tags:

One way to get outdated plugins on your computer · 2010-01-28 15:45 by Wladimir Palant

Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 9.0.124.0 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).

Read more Comment [6]

Tags:

The new browser security landscape · 2010-01-26 12:22 by Wladimir Palant

Brian Krebs came across one of those websites throwing a battery of exploits at users and took a close look at its administration page. It lists seven exploits, the two most successful ones being for Adobe Reader and Java, followed by two Internet Explorer exploits. At the far end of the list two Firefox exploits can be found as well. From what I understand, only one Adobe Reader vulnerability was unpatched at that time, all other vulnerabilities have been fixed already. For example, the Java exploit targets a security hole that was closed in December 2008, the exploited Firefox vulnerabilities have been closed in Firefox 1.0.5 and 1.5.0.5 respectively.

Read more Comment [13]

Tags:

Mercurial over HTTPS - ouch, SSL isn't always secure · 2009-11-18 08:43 by Wladimir Palant

I set up my Mercurial server as HTTPS only. The idea behind it was that establishing a secure communication channel outweighs the disadvantages (server load, more traffic and somewhat slower pull operations) for a small server like that. But then I had second thoughts — I am using a StartCom certificate that isn’t yet accepted everywhere, what if somebody cannot pull the repository because of that?

Read more Comment [5]

Tags:

AMO getting serious about add-on security · 2009-11-14 15:36 by Wladimir Palant

Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.

Read more Comment [4]

Tags:

Getting rid of Flash cookies · 2009-03-02 12:57 by Wladimir Palant

Pretty much every Flash movie on the web today uses Flash Player’s global storage feature to store data on your disk, similar to regular browser cookies. What makes this feature so problematic is the lack of proper control mechanisms. For example, for browser cookies I selected “Keep until I close Firefox” which makes sure that cookies can be set (no site functionality is broken) but won’t survive too long. But this setting won’t apply to Flash data. Same goes for the Private Browsing mode in Firefox 3.1, it has absolutely no effect on Flash. Note also that Flash data is the same for all browsers and all profiles.

Read more Comment [38]

Tags:

Five wrong reasons to use eval() in an extension · 2009-02-06 13:35 by Wladimir Palant

One of the most overused JavaScript features is the eval() function. I have seen it used in very many extensions but only a few actually had a good reason to use it. So I want to go through all the wrong reasons one would use eval().

Read more Comment [13]

Tags:

Previous