Gonçalo Valério @dethos@s.ovalerio.net

"How an anti ad-blocker works: Reverse-engineering BlockAdBlock"

https://xy2.dev/article/re-bab/

#adblockers #ads #web

Safari allowed unauthorized
websites to access your camera on iOS and macOS

https://www.ryanpickren.com/webcam-hacking-overview

#security #infosec #safari #apple

"How to SSH Properly"

https://gravitational.com/blog/how-to-ssh-properly/

"Attacking Secondary Contexts in Web Applications" [slides]

https://docs.google.com/presentation/d/1N9Ygrpg0Z-1GFDhLMiG3jJV6B_yGqBk8tuRWO1ZicV8/edit

#security #netsec #infosec #appsec #webdev

"CVE-2020-8816 – Pi-hole Remote Code Execution"

https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/

#security #infosec #netsec

"While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel..."

https://www.bleepingcomputer.com/news/security/unpatched-ios-bug-blocks-vpns-from-encrypting-all-traffic/

#security #infosec #ios

"What You Should Know About Online Tools During the COVID-19 Crisis"

https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis

#security #infosec #privacy

"CVE-2020-10558 | Tesla Model 3 Vulnerability – Disable Autopilot Notifications, Speedometer, Web Browser, Climate Controls, Turn Signals, Nav, etc."

https://safekeepsecurity.com/about/cve-2020-10558/

#security #infosec #tesla #cars

"...code execution vulnerability in the Visual Studio Code Python extension..."

https://blog.doyensec.com/2020/03/16/vscode_codeexec.html

#security #infosec #python #vscode

> Unless customized, Jinja2 is configured by Flask as follows: autoescaping is enabled for all templates ending in .html, .htm, .xml as well as .xhtml when using render_template().

https://bento.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/

If using flask pay special attention to this configuration.
In Django as far as I'm aware (after testing a bit), render/render_to_string always escapes the content.

#python #flask #security

Using Content-Security-Policy with multiple policies

https://csper.io/blog/multiple-policies

#security #web

"Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies"

https://hackerone.com/reports/737140

Very interesting bug report.

#security #netsec #infosec

"Container Security – Nobody Knows What It Means But It’s Provocative"

https://capsule8.com/blog/container-security-nobody-knows-what-it-means-but-its-provocative/

#containers #docker #security

[The linked article is in Portuguese]

"Dinheiro público, código aberto"

https://pgte.me/dinheiro-publico-codigo-aberto/

#publicmoneypubliccode #pmpc #portugal #freesoftware

"AvastSvc.exe contains a full, unsandboxed JavaScript/DOM implementation"

Why?

https://news.ycombinator.com/item?id=22544554

#security #infosec

Some tips to increase your digital security and privacy:

https://github.com/Lissy93/personal-security-checklist

#security #infosec

"A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME)."

"affects the Intel CSME boot ROM on all Intel chipsets and SoCs available today other than Ice Point (Generation 10). The vulnerability allows extracting the Chipset Key and manipulating part of the hardware key and the process of its generation"

https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html

#security #intel #infosec