Search Mailing List Archives
[liberationtech] Burn Note
piracee at hrw.org
Wed Feb 1 14:56:39 PST 2012
Great. Was anyone pointed them to Crypto.is? It seem that the Code Audit Feed could be of use to them (assuming they are willing to open their code)
From: Steve Weis [steveweis at gmail.com]
Sent: Wednesday, February 01, 2012 5:41 PM
To: Enrique Piraces
Cc: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Burn Note
I reported it to the site owner and received an acknowledgement. He did not say when it would be fixed. The vulnerability I found is not particularly interesting and is often used as an example in tutorials.
If you're interested in learning more about the class of attacks, OWASP is a good resource:
Google also has a nice code lab with a sample app that you can try to attack:
On Wed, Feb 1, 2012 at 6:51 AM, Enrique Piraces <piracee at hrw.org<mailto:piracee at hrw.org>> wrote:
+1, please do.
On 01/31/2012 07:40 PM, Steve Weis wrote:
> I would not use Burn Note.
> I just tried it out and found they are vulnerable to cross-site scripting
> attacks. If you were logged into a Burn Note account, I could hijack it by
> getting you to click one of their links. That would let me see all the
> outstanding notes your account created which haven't been read yet.
> I also found that I was able to post junk data to their application
> endpoints to create broken notes. That means the input is not being
> sanitized, which makes it more likely to be exploitable. This is a common
> cause of vulnerabilities like SQL injection.
> Finally, based on their technical writeup, I don't trust their ability to
> use encryption properly.
Nicely done. If you've already disclosed, please do share the exploits
here after they've patched?
More information about the liberationtech