Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Burn Note

Enrique Piraces piracee at
Wed Feb 1 06:51:29 PST 2012

+1, please do.

-----Original Message-----
From: liberationtech-bounces at [mailto:liberationtech-bounces at] On Behalf Of Jacob Appelbaum
Sent: Wednesday, February 01, 2012 4:11 AM
To: liberationtech at
Subject: Re: [liberationtech] Burn Note

On 01/31/2012 07:40 PM, Steve Weis wrote:
> I would not use Burn Note.
> I just tried it out and found they are vulnerable to cross-site scripting
> attacks. If you were logged into a Burn Note account, I could hijack it by
> getting you to click one of their links. That would let me see all the
> outstanding notes your account created which haven't been read yet.
> I also found that I was able to post junk data to their application
> endpoints to create broken notes. That means the input is not being
> sanitized, which makes it more likely to be exploitable. This is a common
> cause of vulnerabilities like SQL injection.
> Finally, based on their technical writeup, I don't trust their ability to
> use encryption properly.

Nicely done. If you've already disclosed, please do share the exploits
here after they've patched?

All the best,
liberationtech mailing list
liberationtech at

Should you need to change your subscription options, please go to:

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on!/Liberationtech

More information about the liberationtech mailing list