Google :google: tests new Content Security Policy value "trusted-types" to fight DOM-based XSS:

– web servers must define Trusted Types in their CSP, and register their website
– beginning with Chrome/Chromium 73, Google will conduct client-side testing
– XSS is one of the most prevalent vulnerability in websites for years


There are many more recommendations, however, a limitation of 500 characters doesn't allow us to publish all of them in a single toot here. 😉

We continuously extend/update our Web server security series (

Data leaks–guy, who recently published 620 million data records, publishes second data set, containing another 127 million records:

– affected this time: Ixigo, YouNow, Houzz,, Coinmama, Roll20, Stronghold Kingdoms, PetFlow
– data sets are also "fresh" (2018)
– it looks like this guy exploited a zero-day vulnerability in PostgreSQL

Server hardening–some people install arbitrary security software to "harden" their server.

Hardening is about removing/disabling functions, accounts, services etc., not about installing random packages.

Basic hardening tips:
– install a minimal operating system + firewall
– regularly update your OS
– remove/disable unused packages, interfaces, services
– secure and monitor your log files
– backups!

Tools like Lynis suggest more tips that need careful consideration.

@cdc @exodus

Yes, you're absolutely right. However, not everybody understands/reads this. So, it's important to point this out.

Do you know the Dat protocol?

It is an open, decentralized, and secure protocol to share content.

InfoSec Handbook supports it since last November:


You need a web browser that supports Dat like Beaker Browser.

You can download a full copy of our content, and share/read it even if our blog is offline.

Coming this weekend on

– GDPR-friendly logging and monitoring (part 6 of our Web server security series)

Weiter JavaScript auf dem Kuketz-Blog.

Wir hatten gefragt, warum er seinen Lesern „Vollständiger Verzicht auf JavaScript” verspricht, wenn das faktisch nicht stimmt:

„Antworten“-Buttons in Kommentarbereichen binden „return addComment.moveForm“-JavaScript ein und unter gibt es ein riesiges MailPoet-JS (derzeit:

Kuketz beschwert sich oft über falsche Datenschutzerklärungen … bei ihm gibt es auch eine. 🤷‍♂️

Limits of Exodus privacy scanner:

Some people use online tools to scan things like websites or apps. We already wrote about limits of such tools in

Exodus provides static analysis of Android apps. It can't detect disabled trackers (like in Signal, Riot, or Orfox), and it can't detect custom or less-known trackers. Furthermore, it can't evaluate dynamic execution or data transfer.

Results provided by such tools must be always verified by humans.


Yes, Conversations and Riot deactivated it too.

However, static analysis tools like exodus aren't able to detect it, and some people use exodus without verifying the results.

Signal Messenger–Firebase Analytics inside?

Signal had to switch from GCM to FCM, as mentioned in this issue:

It was implemented 20 days ago:

However, the AndroidManifest.xml clearly shows that Firebase Analytics is turned off.

This also affects other messengers like Conversations (XMPP), or Riot (Matrix).

Search for "firebase_analytics_collection_deactivated" == "true".

500px confirms data breach recently disclosed:

"an unauthorized party gained access to our systems and acquired partial user data on approximately July 5, 2018"

– affects first and last name, username, e-mail address, hashed password, DOB, city, gender

Tor Browser :tor: 8.0.6 released, fixes several security vulnerabilities:

– based on FF 60.5.1esr
– updates for Tor, Torbutton, and HTTPS Everywhere

Privilege Escalation in Ubuntu (CVE-2019-7304):

– there are multiple methods to obtain root
– affects Ubuntu 18.10, 18.04 LTS, 16.04 LTS, 14.04 LTS
– update snapd according to

Dunkin' Donuts 🍩 accounts hacked twice by using already leaked credentials:

– attackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts
– DD Perks accounts contain names, e-mail addresses, DD Perks account number and QR code
– that's why you use unique, strong passwords and 2FA, if possible

Wordpress plugins–critical security vulnerability in "Simple Social Buttons" affects 40,000+ active installations:

– an attacker who can register new accounts on a site can exploit this vulnerability to make modifications to a WordPress site's main settings
– update to version 2.0.22

InfoSec Handbook–update of our privacy policy:

– we added information about error logging, and the dat version of our blog
– there is a short version, and a clear scope now
– we updated the location of the data controller in terms of the GDPR
– by default, we still do not log any personal data (including IP addresses, user agents)

In case of any questions, feel free to contact us:

Zombie POODLE, and GOLDENPOODLE–two vulnerabilities in TLS 1.2, related to a major design flaw in SSL 3.0:

– the issue is cipher block-chaining (CBC) mode for block ciphers
– allows man-in-the-middle (MitM) attacks
– more details will be published at Black Hat Asia in March
– disable CBC-based ciphers (there is also the Lucky13 attack), or switch to TLS 1.3

Downgrade attack on TLS 1.3 and vulnerabilities in major TLS libraries:

– the attack leverages a side-channel leak via cache access timings (in OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS)
– it affects all TLS versions, including TLS 1.3
– one requirement for the attack are RSA key exchanges

Show more
Mastodon is a microblogging site that federates with most instances on the Fediverse.