The security thread
- Started
- Last post
- 39 Responses
- cherub0
I'm new to html forms, and this is my first time doing backend stuff. I am using a simple html form to plug into my action php
Simple question.
What is the general consensus?
Is GET more insecure, or POST?
why?
- POST doesn't show the data in the URL.uan
- ^thats what I read too. And apparently bots can mess with ur form if you use GET? or something like that?cherub
- bots and humans. you can hack both...you can try sql commands in the form to hack into the site if you want.uan
- that's why using the wp default login is a better idea...all the known attacks are covered.uan
- Always sanitize your inputs to filter XSS and SQL injection and use SSL/TLSspot13
- sted2
Move your private projects out of github, entire source was leaked, breach is expected.
- sted1
An unpatched vulnerability in Apple's Safari web browser could be exploited to allow for the transfer of local files from a victim's machine or mobile device. Although Apple requested the researcher to hold off on disclosing the vulnerability, the researcher felt the timeline for a patch was too long. Apple stated it would not release a patch until Spring 2021. The vulnerability abuses the Web Share API, which allows users to share links from Safari through third-party applications. Using the "file:" scheme, an attacker could pass a link to the navigator.share function containing a file from the user file system. To perform the attack, a user must be compelled to visit a malicious website and perform actions detailed on that website. The researcher provided a proof-of-concept with an innocuous image file, which he urged visitors to share amongst their friends. Upon pressing the share button, the user is presented with various ways by which to share the image. Should the user choose email, the code, image URL, and an arbitrary file are attached. Additionally, he was able to demonstrate the stealing of the passwd file. In some cases, the victim may not notice the attachment or the name of the attachment may not be displayed, giving the attacker a slight advantage as the attachment could be out of sight on the victim's screen. The victim would need to scroll down to see the attached file. This vulnerability affects devices running iOS 13.4.1 and 13.6, macOS Mojave 10.14.16 with Safari 13.1, and macOS Catalina 10.15.5 with Safari 13.1.1. Further details can be found in the links located within the Reference section below.
- Boring. If there is no RCE, move on. If they want the /etc/passd they could just ask, those are only system users...grafician
- monNom1
Do you use 3rd party/open-source scripts in your website and application builds? Should you trust them?
This guy lays out a shockingly simple method to spread malware and steal user data by taking advantage of developer laziness: Offer free opensource plugins, npm dependencies, etc.
- Related: Hotjar said recently they will stop collecting keystrokes and form-input data in their recordings. IE: Your analytics was/is keylogging your users.monNom
- Gnash0
https://www.macrumors.com/2017/1…
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
- sted2
Amazon.
Change your passwords around amazon systems from all amazon sites to AWS accounts. No official info yet but there is a huge database for sale, with aws security credentials.
- Ooft, that'll torpedo Bezos massively, if true - especially where AWS is concerned.detritus
- i just changed it like 2 weeks ago! is this a separate breech from the big one last month?sarahfailin
- yes, they released some parts of the db to prove that it's realsted
- They can only hack your account *IF* you change your password... dun dun dunrobthelad
- Bennn0
seriously, I dont care if the gov is spying on my sms... what i say over there is very uninteresting... like making joke to my gf, asking her whats for dinner or "want me to buy ticket for this show"
I'm using Signal anyway because I like it.
- but i get the point tho. i know.Bennn
- http://i.imgur.com/F…moldero
- What? No sexts? How boring :)ETM
- section_0140
If you're up to some dubious shit, and you're communicating over the web, you're not using WhatsApp or facebook messenger. Unless you're a moron of course.
Serious criminals will be bouncing encrypted messages off of multiple proxies at minimum. Probably with custom software for reading/writing messages.
- Continuity1
'WhatsApp backdoor allows snooping on encrypted messages'
- whatsapp is owned by facebook, is anyone really surprised?hans_glib
- Oh, no, certainly not surprised. Indeed, this vulnerability has been known for some time, according to the article. This is more of a PSA on my part.Continuity
- sted1
Adult Friend Finder and others
Sexual secrets for hundreds of millions exposed in largest hack of 2016Adultfriendfinder.com - 339,774,493 users
Cams.com - 62,668,630 users
Penthouse.com - 7,176,877 users
etc..
Total: 412,214,295 affected usershttp://www.techspot.com/news/670…
http://www.theverge.com/2016/11/…
- sted1
Spotify is writing massive amounts of junk data to storage drives
http://arstechnica.com/informati…
It's in the air since the summer but still nobody knows what data is actually written on the users disk (as it isn't using that much network traffic). Spotify now made an official statement (after 4 months)
- I read this, it read/writes so much data it reduces the life of SSD's from years to weeks.face_melter
- sted1
https://motherboard.vice.com/rea…
:D
Roughly 800,000 accounts of the popular pornography website Brazzers have been leaked to the public after a recent data breach.
- face_melter0
I recommend following @SwiftOnSecurity - an entertaining and informative albeit sometimes jargon-heavy mix of security news/talk and Taylor Swift.
- You got me at "Taylor Swift"Maaku
- he's my infosec man crushprophetone
- sted0
- sted0
Popular BitTorrent client uTorrent's forum, which has over 388,000 registered members and sees tens of thousands of visitors each day, has been hacked.
https://torrentfreak.com/utorren…
it's important to mention that you should never register at any circumstances on torrent sites.
- I would expect hackers to attack banks, or corporations and stuff...but this is like thieves going after thieves.Maaku
- ...assuming they're black hat and/or independentprophetone
- it makes perfect sense, not like a bunch of content pirates can run to the authoritiesterry_cloth
- uan1
Being privacy-aware in 2016
https://vox.space/blog/89/being-…
incredible how much you are supposed to do, be aware of when surfing the web and caring about your privacy. it's good to see competent people caring about it and sharing the knowledge.
- sted0
- sted1
Today is myspace day:
Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800
- there are that many myspace users?bulletfactory
- read the article maybeimbecile