Search Mailing List Archives
[liberationtech] Burn Note
piracee at hrw.org
Wed Feb 1 06:51:29 PST 2012
+1, please do.
From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Jacob Appelbaum
Sent: Wednesday, February 01, 2012 4:11 AM
To: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Burn Note
On 01/31/2012 07:40 PM, Steve Weis wrote:
> I would not use Burn Note.
> I just tried it out and found they are vulnerable to cross-site scripting
> attacks. If you were logged into a Burn Note account, I could hijack it by
> getting you to click one of their links. That would let me see all the
> outstanding notes your account created which haven't been read yet.
> I also found that I was able to post junk data to their application
> endpoints to create broken notes. That means the input is not being
> sanitized, which makes it more likely to be exploitable. This is a common
> cause of vulnerabilities like SQL injection.
> Finally, based on their technical writeup, I don't trust their ability to
> use encryption properly.
Nicely done. If you've already disclosed, please do share the exploits
here after they've patched?
All the best,
liberationtech mailing list
liberationtech at lists.stanford.edu
Should you need to change your subscription options, please go to:
If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
You will need the user name and password you receive from the list moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
More information about the liberationtech