Where Did Software Go Wrong?

Software is broken, but it’s not because of NPM, startups, AI, or venture capitalists. A deep dive into how we think about and produce code, and how our software systems reflect the manic state of the modern world.
read more ⟶

Finding secrets by decompiling Python bytecode in public repositories

Cache rules everything around me. pyc files can contain secrets and should not be checked in to source control. Use the standard Python .gitignore.
read more ⟶

Open and Shut

I’ve been working on a little toy project called Open and Shut, which enables you to type in Morse code by opening and shutting your laptop lid.
read more ⟶

Building a BitTorrent client from the ground up in Go

What is the complete path between visiting thepiratebay and sublimating an mp3 file from thin air? In this post, we’ll implement enough of the BitTorrent protocol to download Debian. Look at the Source code or skip to the last bit.
read more ⟶

You're still not anonymous on Looped

Looped fixed the bug from part 1. That’s all they fixed.
read more ⟶

You're not anonymous on Looped

Looped knows who you are, and so does anyone who cares to look. Avoid using it unless you understand the risks to your privacy. Read the conclusions.
read more ⟶

Detecting incognito mode in Chrome 76 with a timing attack

FileSystem API writes are measurably faster and less noisy in incognito mode, allowing websites to detect incognito visitors by benchmarking their write speed. Results
read more ⟶

Reversing JS Malware From marveloptics.com

The injected script steals checkout form data and sends it to a Chinese-owned domain. But the attackers are really bad at programming.
read more ⟶

An Analysis of Cloudflare's Email Address Obfuscation

It’s a hex encoded string where the first byte (the key), is XORed against each subsequent byte to decrypt the email address. This is not a vulnerability.
read more ⟶

Hacking Harvard (and nearly every other college)

Chaining two CSRF attacks and brute forcing the user’s birth date (upper bound = 730 requests) allowed complete account takeover.
read more ⟶

Snow Day Calculator XSS

PHP’s type coercion and unescaped use of the page’s snowdays parameter allows injecting arbitrary HTML and Javascript via a reflected XSS attack.
read more ⟶

Stored XSS in Schoology

Schoology blog posts accept a plain HTML document via a tinymce editor, which may be injected with arbitrary elements, including iframes and event handlers.
read more ⟶

Uncovering a Bug in Cloudflare's Minification Service

A bug in Cloudflare’s Auto Minify service parsed // and /* ... */ within ES6 `template literals` as comments, causing it to truncate lines or entire blocks of code, leading to unpredictable behavior or in rare cases, a code injection vulnerability.
read more ⟶

Bypassing Cert Pinning in the Steam Mobile App

Use apktool and jadx to identify and remove cert pinning code so we can MITM the app to watch its network requests.
read more ⟶