On the XARA vulnerability on MacOS X and iOS

Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on MAC OS X and iOS” […]

New vulnerability on OpenSSL found

A new bug in OpenSSL was found by Masashi Kikuchi of Lepidum. It affects all versions of OpenSSL earlier than 1.0.1. For details, please refer to: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html and http://www.openssl.org/news/secadv_20140605.txt

Analyzing Yahoo! Voices Password Leakage

Lot’s of articles appeared on the Yahoo! Voices’ password leakage on the 11th. Many people seem to be assuming that Yahoo!s password has been leaked, but to me it seems a little different. According to the press articles[1], it seem the password has been extracted from a service called Yahoo!Voices using SQL Union injection. The […]

Comments on Wang-Chen-Wang paper on OpenID Implementation Vulnerability

In the paper titled “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services“, Rui Wang, Shuo Chen, XiaoFeng Wang reported the “vulnerability” in some OpenID 2.0 implementations. The vulnerability they listed can probably be named as “OpenID Signature Check Failure” and “OpenID Data Type Confusion”. […]