If you read a few of my other blog posts like Naomi85 – password generator, it might surprise you to know I don’t like passwords, And that I find passwords to be horrible both from a usability and security point of view.
Managing passwords is hard. If you try to do it right, you must keep unique and complex passwords for each service you use. More than once, I forgot a decryption password and spent hours even days trying to recall it. Password managers will help, but using them securely is not that simple.
In the previous post we saw a few security issues in the way AceessURL generates the passphrase and the id for the share URL. In this post we’ll see a way where we can get more security using almost the same security concepts AccessURL relies on a bit differently.
Security issues found
After using AccessURL browser extension I found a few issues which allowed me to get almost any credentials. To have better understanding of the issues lets look at a sample URL you get from the extension –
This URL has two parts “GMRT” is the identifier sent to AccessURL server and retrieves the encrypted data, the part after the hash “yzdne1” is never sent to the server and is used as the to decrypt the encryption and recover the cleartext cookie.
Unfortunately, both of this values are too short to be secure and safe from a brute-force attack ( An attack where you go through every possible value until you get a valid result).
I recently came across AcessURL. AccessURL is an online service which offers an easy way to allow access to online accounts without sharing the account password.
Unfortunately, their initial implementation had some security issues. In this post, I will describe and suggest how to fix these issues. It is important to say that AcessURL since solved these issues.
These kind of mistakes are very easy to make and they are relevant to almost any online service. My aim is to provide information that will be useful for both web users and professional web developers. Feel free to skip parts you’re already familiar with.
TL;DR if you just wanna see the code and simple install instructions see the Github repo
Update – The original code had a major rewrite to be used as a plugin that will not require any NGINX/Apache special features. Yet it can use advance features like X-Accel-Redirect/X-send-files if available.
Though the ideas and methods described in this article should work and are still good to understand the concept, a new and better implementation is available. Information about the new implementation is available in the Github repo.
As many other people I was looking for a solution to control and share my private photos with family and friends. Google, Facebook and other 3rd parties will allow you to share your content easily with your friends. But do you really know who has access to your private data ? who controls it ? and who owns it ?
I’m going to be very blunt and might make some people angry. For what its worth I’m only writing it in the hope that it will get enough attention in the Ember community and that this issues will be addressed properly.
An article written by me has been published in Digital Whisper, the Israeli hacking and information security magazine.
if you can read Hebrew you might find it interesting –
Digital Whisper – issue 48
In this post I’m going to explain how to debug Gaia for Firefox OS.
I will explain how to run Gaia emulator inside the Firefox browser and also how to do a remote debugging on an actual device (The ZTE Open to be specific but it should be the same on every device).
Update: I’ve realized that I actually compiled and installed FirefoxOS v1.3 instead of 1.1, so this instructions will actually cause you to install v1.3.
for me v1.3 is working fine but if you need to install v1.1 just be sure to configure the right branch
If you read my previous post about the ZTE Overview, you know I was planning to upgrade my phone to version 1.1 after finding instructions on MDN I thought its going to be easy, but apparently its not as straight forward as one might think.
this guide is basically going to organize the information from the mozilla.dev group thread – Updating ZTE Open to 1.1 and the MDN ZTE Open page