[liberationtech] Burn Note

[Enrique Piraces]

+1, please do.

-----Original Message-----
From: liberationtech-bounces at lists.stanford.edu [mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Jacob Appelbaum
Sent: Wednesday, February 01, 2012 4:11 AM
To: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Burn Note

On 01/31/2012 07:40 PM, Steve Weis wrote:
> I would not use Burn Note.
> 
> I just tried it out and found they are vulnerable to cross-site scripting
> attacks. If you were logged into a Burn Note account, I could hijack it by
> getting you to click one of their links. That would let me see all the
> outstanding notes your account created which haven't been read yet.
> 
> I also found that I was able to post junk data to their application
> endpoints to create broken notes. That means the input is not being
> sanitized, which makes it more likely to be exploitable. This is a common
> cause of vulnerabilities like SQL injection.
> 
> Finally, based on their technical writeup, I don't trust their ability to
> use encryption properly.
> 

Nicely done. If you've already disclosed, please do share the exploits
here after they've patched?

All the best,
Jacob
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech