Mastodon

Security

A 407-post collection

How Spoutible’s Leaky API Spurted out a Deluge of Personal Data

Ever hear one of those stories where as it unravels, you lean in ever closer and mutter “No way! No way! NO WAY!” This one, as far as infosec stories go, had me leaning and muttering like never before. Here goes: Last week, someone reached out to me with what they claimed was a Spoutible data breach obtained by exploiting an enumerable API. Just your classic case of putting someone else's username in the URL and getting back data about them, which at first glance I assumed was another scraping...

Safe, Secure, Anonymous, and Other Misleading Claims

Imagine you wanted to buy some shit on the internet. Not the metaphorical kind in terms of "I bought some random shit online", but literal shit. Turds. Faeces. The kind of thing you never would have thought possible to buy online until... Shitexpress came along. Here's a service that enables you to send an actual piece of smelly shit to "An irritating colleague. School teacher. Your ex-wife. Filthy boss. Jealous neighbour. That successful former classmate. Or all those pesky haters." But it woul...

Join my Twitter Subscription for the Inside Word on Data Breaches

I want to try something new here - bear with me here: Data breach processing is hard and the hardest part of all is getting in touch with organisations and disclosing the incident before I load anything into Have I Been Pwned (HIBP). It's also something I do almost entirely in isolation, sitting here on my own trying to put the pieces together to work out what happened. I don't want to just chuck data into HIBP and the first an organisation knows about it is angry customers smashing out their i...

Down the Cloudflare / Stripe / OWASP Rabbit Hole: A Tale of 6 Rabbits Deep 🐰 🐰 🐰 🐰 🐰 🐰

I found myself going down a previously unexplored rabbit hole recently, or more specifically, what I thought was "a" rabbit hole but in actual fact was an ever-expanding series of them that led me to what I refer to in the title of this post as "6 rabbits deep". It's a tale of firewalls, APIs and sifting through layers and layers of different services to sniff out the root cause of something that seemed very benign, but actually turned out to be highly impactful. Let's go find the rabbits! The...

Breach Disclosure Blow-by-Blow: Here's Why It's so Hard

For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, i...

How Everything We're Told About Website Identity Assurance is Wrong

I have a vehement dislike for misleading advertising. We see it every day; weight loss pills, make money fast schemes and if you travel in the same circles I do, claims that extended validation (EV) certificates actually do something useful: > Why are you still claiming this @digicert [https://twitter.com/digicert?ref_src=twsrc%5Etfw]? This is extremely misleading, anyone feel like reporting this to the relevant advertising standards authority in their jurisdiction? https://t.co/enzJUodhdG pic...

Beg Bounties

When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago [https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/] , I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone had snagged all their data. Within the data were references that granted access to voice recordings made by children, stored in an...

You Don't Need to Burn off Your Fingertips (and Other Biometric Authentication Myths)

111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence [https://www.smithsonianmag.com/history/first-case-where-fingerprints-were-used-evidence-180970883/] . We've all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people have ever been found to have a matching set [https://www.healthline.com/health/do-identical-twins-have-the-same-fing...

Hello CISO - Brought to You in Collaboration with 1Password

Today I'm really excited to announce a big piece of work 1Password and I have been focusing on this year, a totally free video series called "Hello CISO". This is a multi-part series that launched with part 1 and when I say "free", I don't mean "give us your personal data so we can market to you", I mean here it is, properly free: This is intended to be a very practical, broadly accessible series and whilst it has "CISO" in the title, we expect it'll be relevant well beyond the pointy end of th...

Why No HTTPS? The 2021 Version

More than 3 years ago now, Scott Helme [https://scotthelme.co.uk/] and I launched a little project called Why No HTTPS? [https://www.troyhunt.com/why-no-https-heres-the-worlds-largest-websites-not-redirecting-insecure-requests/] It listed the world's largest websites that didn't properly redirect insecure requests to secure ones. We updated it December before last [https://www.troyhunt.com/still-why-no-https/] and pleasingly, noted that more websites than ever were doing the right thing and for...