Multiple Vulnerabilities in Disqus WordPress Plugin

Vendor: Disqus for WordPress Affected versions: up to v2.7.5 Patched: v2.7.6 release Exploit: Manage.php CSRF+XSS admin exploit Disqus is an extremely popular third-party commenting system used on blogs and media sites. The disqus plugin for WordPress has been installed over a million times and is the 15th most popular overall WordPress plugin. I recently performed […]

CS-Cart v4.2.0 Session Hijacking and Other Vulnerabilities

Vendor: CS-Cart Affected versions: up to v4.2.0 Patched: v4.2.1 released CS-Cart is a semi-popular open source e-commerce shopping cart application. It contains a homebrew session management system that utilizes an insecure source of randomness to generate session tokens. The poor source of randomness combined with other bugs makes it possible to hijack an administrators session […]

Multiple Vulnerabilities in myGov, the Australian Government Single-sign-on Solution for Citizen Services.

Update: This story has been published by Fairfax on the Sydney Morning Herald website. The previous Australian government introduced a policy called Digital First, which is a mission to make the majority of Australian government services available online by 2017. The new government elected in 2013 adapted this policy and extended it further, requiring that […]

Two Google Chrome Privacy Issues

I have recently discovered two privacy issues with Google Chrome that users should be aware of. They both relate to browsing history data not being deleted despite the user taking action to delete browsing history. A Google Chrome user can delete browser history by going into Preferences -> Show Adavanced Settings -> Clear Browsing Data. […]

Yahoo Axis Chrome Extension Leaks Private Certificate File

Preamble: The tl;dr for users is to not install (in my opinion) the Yahoo! Axis extenion for Chrome until this issue is clarified. See update below about disclosing this issue. Yahoo! today announced their new Axis web browser. It is implemented as an extension to Chrome, Firefox and Internet Explorer. I installed the Chrome extension […]

BlockPlus v4 Released: Block Google+ widgets and links from other Google sites

Google recently added a Google+ widget to the search engine homepage. I wrote BlockPlus when Google+ was first released and first integrated into other Google properties. The idea was to remove all the links to Google+ and Google+ widgets from other Google properties so that you aren't distracted by them and so that the page […]

Facebook and many other sites also bypass Internet Explorer privacy controls

There is a post today on a Microsoft MSDN blog about how Google bypasses third-party cookie control in Internet Explorer by setting a false P3P header. The post author is Dean Hachamovitch, who is the VP for IE, and follows up from a big story last week about how Google and a number of other […]

Facebook Is Losing E-Commerce

Bloomberg has a report out today about retailers shutting down their online Facebook stores due to lack of interest and activity from users. The headline example is Gamestop – who, despite having some 3.5 million fans on Facebook – recently shut down its Facebook shopfront because it didn't take off with users. From the article: […]

How Megaupload Was Investigated and Indicted

The popular file upload site Megaupload was taken down today as part of a US DOJ investigation into the site for breaches of US copyright law. From reading the indictment and digging around online you can start to reverse-engineer how the investigation was carried out. The evidence in the grand jury indictment is of four […]

The Google Firefox search deal, Chrome and Lady GaGa

In a response to MG Siegler's post about the Google and Firefox deal, Chrome engineer Peter Kasting posted to Google+: People never seem to understand why Google builds Chrome no matter how many times I try to pound it into their heads. It's very simple: the primary goal of Chrome is to make the web […]