LastPass bug leaks credentials from previous site

Attackers could lure users on malicious pages and exploit the vulnerability to extract the credentials users had entered on previously-visited sites. According to Ormandy, this isn’t as hard as it sounds, as an attacker could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.

Source: LastPass bug leaks credentials from previous site | ZDNet

Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.

In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.

Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

You can read the paper here.

This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable “free” content are in direct conflict with security, privacy, stability, and performance concerns — and that Firefox is first and foremost a user-agent, not an industry-agent.

Source: Monica at Mozilla: Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Chrome passes 25% market share, IE and Firefox slip

Between March and April, here is how the browser market changed, according to the latest figures from Net Applications:

  • Internet Explorer: down 0.71 points to 55.83 percent
  • Chrome: up 0.69 points to 25.68 percent
  • Firefox: down 0.19 points to 11.70 percent
  • Safari: up 0.12 points to 5.12
  • Opera: up 0.05 points to 0.48 percent

Source: Chrome passes 25% market share, IE and Firefox slip | VentureBeat | Dev | by Emil Protalinski

How a new HTML element will make the Web faster

When the browser encounters a Picture element, it first evaluates any rules that the Web developer might specify. (Opera’s developer site has a good article on all the possibilities Picture offers.) Then, after evaluating the various rules, the browser picks the best image based on its own criteria.

via How a new HTML element will make the Web faster | Ars Technica.

U.S.: Stop using Internet Explorer

The United States Computer Emergency Readiness Team, a part of Homeland Security known as US-CERT, said in an advisory released on Monday morning that the vulnerability in versions 6 to 11 of Internet Explorer could lead to “the complete compromise” of an affected system.

“We are currently unaware of a practical solution to this problem,” Carnegie Mellon’s Software Engineering Institute warned in a separate advisory, that US-CERT linked to in its warning.

via U.S.: Stop using Internet Explorer – chicagotribune.com.

Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days

In terms of why Firefox was the most exploited browser at the 2014 Pw2Own event, money likely plays a key role.
“Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers’ decision to wait until now to share their work and help protect Firefox users,” Stamm said. “Mozilla also offers financial rewards in our bug bounty program, and this program’s success has inspired other companies to follow suit.” –

via Pwn2Own 2014 Claims IE, Chrome, Safari and More Firefox Zero-Days.

Beware Of HTML5 Development Risks

As a result, developers have to design with the dangers in mind and weigh that against the type and sensitivity of data stored in the client. At the moment, many development shops are not training their staffs to do that, says David Eads, founder of Mobile Strategy Partners, a mobile development firm that specializes in financial and insurance applications. In fact, he recently ran into a bank that used example HTML5 code for training developers that put data in permanent storage on the client system as opposed to temporary storage.

via Beware Of HTML5 Development Risks — Dark Reading.

Stop standardizing HTML

It is well past time, though, for the W3C and the browser vendors to stop talking as if they constrain the markup developers can use and focus instead on the many things they can do to make the browsers supporting that markup processing more capable. HTML’s legacy vocabulary is a great foundation on which developers can build their own toolsets. The Web will benefit, however, from letting developers solve their information problems in their own ways, rather than trying to stuff too many things into a single vocabulary.

via Stop standardizing HTML – Programming.