Simon Willison’s Weblog

Items tagged security in 2005

Filters: Year: 2005 × security ×


Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. # 24th December 2005, 5:21 pm

Don’t be eval()

JavaScript is an interpreted language, and like so many of its peers it includes the all powerful eval() function. eval() takes a string and executes it as if it were regular JavaScript code. It’s incredibly powerful and incredibly easy to abuse in ways that make your code slower and harder to maintain. As a general rule, if you’re using eval() there’s probably something wrong with your design.

[... 431 words]

Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead. # 22nd November 2005, 6:24 am

Social engineering and Orange

I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.

[... 311 words]

Understanding the Greasemonkey vulnerability

If you have any version of Greasemonkey installed prior to 0.3.5, which was released a few hours ago, or if you are running any of the 0.4 alphas, you need to go and upgrade right now. All versions of Greasemonkey aside from 0.3.5 contain a nasty security hole, which could enable malicious web sites to read any file from your hard drive without you knowing.

[... 809 words]

Cross-site request forgery (CSRF). Somehow this vulnerability is news to me. # 6th May 2005, 11:07 pm

Fighting RFCs with RFCs

Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.

[... 353 words]

Giving away the index

My final year project is due in two weeks, and I’m going to be running on silent for most of them. I have, however, upgraded to Tiger and playing with Spotlight has given me plenty to think about.

[... 414 words]

Usable Security: Look Beyond the “Fundamental Conflict”. Security and usability are not conflicting goals. # 18th March 2005, 2:27 am

Not linking is not security. Ridiculous: Harvard rejects applicants who “hacked” by guessing a URL. # 8th March 2005, 8:47 pm

Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible. # 19th February 2005, 3:12 pm

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. # 15th February 2005, 7:04 pm

Secure wireless email on Mac OS X. Doug Bowman’s tutorial on SSH Tunnel Manager and wireless security. # 8th February 2005, 11:20 am