Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Burn Note

Enrique Piraces piracee at hrw.org
Wed Feb 1 14:56:39 PST 2012


Great. Was anyone pointed them to Crypto.is? It seem that the Code Audit Feed could be of use to them (assuming they are willing to open their code)
________________________________
From: Steve Weis [steveweis at gmail.com]
Sent: Wednesday, February 01, 2012 5:41 PM
To: Enrique Piraces
Cc: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Burn Note

I reported it to the site owner and received an acknowledgement. He did not say when it would be fixed. The vulnerability I found is not particularly interesting and is often used as an example in tutorials.

If you're interested in learning more about the class of attacks, OWASP is a good resource:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Google also has a nice code lab with a sample app that you can try to attack:
http://google-gruyere.appspot.com/

On Wed, Feb 1, 2012 at 6:51 AM, Enrique Piraces <piracee at hrw.org<mailto:piracee at hrw.org>> wrote:
+1, please do.

On 01/31/2012 07:40 PM, Steve Weis wrote:
> I would not use Burn Note.
>
> I just tried it out and found they are vulnerable to cross-site scripting
> attacks. If you were logged into a Burn Note account, I could hijack it by
> getting you to click one of their links. That would let me see all the
> outstanding notes your account created which haven't been read yet.
>
> I also found that I was able to post junk data to their application
> endpoints to create broken notes. That means the input is not being
> sanitized, which makes it more likely to be exploitable. This is a common
> cause of vulnerabilities like SQL injection.
>
> Finally, based on their technical writeup, I don't trust their ability to
> use encryption properly.
>

Nicely done. If you've already disclosed, please do share the exploits
here after they've patched?




More information about the liberationtech mailing list