[liberationtech] Burn Note
Steve Weis
steveweis at gmail.com
Tue Jan 31 19:40:41 PST 2012
I would not use Burn Note.
I just tried it out and found they are vulnerable to cross-site scripting
attacks. If you were logged into a Burn Note account, I could hijack it by
getting you to click one of their links. That would let me see all the
outstanding notes your account created which haven't been read yet.
I also found that I was able to post junk data to their application
endpoints to create broken notes. That means the input is not being
sanitized, which makes it more likely to be exploitable. This is a common
cause of vulnerabilities like SQL injection.
Finally, based on their technical writeup, I don't trust their ability to
use encryption properly.
On Tue, Jan 31, 2012 at 1:00 PM, Marnie Froberg <nellalouise at gmail.com>wrote:
> Noticed a new website called Burn Note, which allows encrypted messages to
> be sent and read one time before they are allegedly destroyed. Upon reading
> the terms of service there seem to be quite a few clauses related to a
> willingness to hand over user data to third parties, not limited to law
> enforcement.
>
> Here is the technical information that they are willing to disclose.
>
> https://burnnote.com/technical
>
> My concern about this sort of site is that it may lull users into a false
> sense of security. Doesn't appear to be open source (like crypto.cat for
> example) so it's a little difficult to really know what's going on there.
>
> Do others have a take on this particular site?
>
>
More information about the liberationtech
mailing list